EXPLORING A NEW AUDIT RISK FACTOR THE CIRCUMVENTION ASPECT

Transcription

1 EXPLORING A NEW AUDIT RISK FACTOR THE CIRCUMVENTION ASPECT Stanley X. Lewis, Jr., Troy University J. Scott Magruder, The University of Southern Mississippi Eddy J. Burks, Troy University Carl Smolinski, LSU-Shreveport ABSTRACT The accounting profession considers various risk factors during an audit of financial statements inherent, control and detection to aid in planning and thereby minimizing applied procedures when auditing financial statements produced by a client s financial reporting system. The Sarbanes-Oxley Act (2002) and efforts by COSO (2007) allude to but do not update these risk factors as the profession made efforts to address the changed business environment. However, currently more than 90% of all records maintained in an electronic format and an estimated 70% or more are never converted to hard copy and result in a need for these risk factors to be updated. The research being conducted by the authors explore one aspect of the impact of technology - circumvention. INTRODUCTION The accounting profession considers several types of risk when working with client organizations which are periodically revisited as the business community evolves and changes due to changes in the global marketplace. However, risk as a factor continues to be viewed from primarily from the two traditional perspectives: 1) internal to the organization (client) and 2) external (non-client) risk issues. The traditional perspectives are limited in that they attempt to evaluate risk using descriptive methods without including adequately significant changes in business. More than 90% of all business records are maintained in many electronic formats and it is estimated that 70% or more are not ever converted to hard copy; thus, traditional descriptive efforts to evaluate (and thus manage) risk are showing signs of aging (Montague, 2007). The research being conducted by the authors explore one aspect of a new risk category - the impact of technology on risk. RISK FACTORS The traditional perspective within the accounting profession when considering the risk associated with the audit of a set of financial statements is viewed from two points-of-view: (1) an internal view by a client and (2) the external auditor s view of risk related to the audit. Internal Risk The risk that is internal to a corporation is the risk that internal corporate or management efforts will not result in an effective and efficiency system of internal control and that internal monitoring will not detect weaknesses and problems in a timely manner to assist the board of directors and management in achieving its financial reporting objective.

2 These efforts are commonly referred to as risk management and it has evolved through the years as business failures have been made public resulting in regulatory actions and often with the passage of statutory laws designed to strengthen the financial reporting process vital to investors, employees and other stakeholder groups (COSO, 2004). The National Commission on Fraudulent Financial Reporting established what became known as the Tread way Commission to address several issues including the IR issue as the accounting professional and the greater business community undertook efforts to address weaknesses in the financial reporting efforts. In 1992 the Tread way Commission released Internal Control Integrated Framework as a guide to the business community and thus the accounting profession as an effort to provide a structure for corporations to use in efforts to improve the existing financial reporting systems used. This guide defined internal control as a process, effected by an entity s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in three categories: Effectiveness and efficiency of operations. Reliability of financial reporting. Compliance with applicable laws and regulations The Commission stated success or failure of the internal control process is based upon a judgment of its effectiveness by the company s board of directors and management efforts in achieving reasonable assurance that: They understand the extent to which the entity s operations objectives are being achieved. Reliably published financial statements are being prepared. They are in compliance with applicable laws and regulations (AICPA Basics, 2005) A subsequent or follow up to the 1992 Treadway Commission effort was undertaken and completed by the Committee of Sponsoring Organizations (COSO), subunit of the Treadway Commission, in 2001 led to the issuance an updated guide or framework known as Enterprise Risk Management Integrated Framework (2004) incorporating evolving issues since 1992 and several highly public financial reporting and business failures. Congressional action resulted in the enactment of the Sarbanes-Oxley Act of 2002 (COSO, 2004). The updated framework was completed and circulated in 2004 and provided an updated structure for corporate management and board of directors in their efforts to evaluate and improve what was then being labeled Enterprise Risk Management (ERM) after a series of high-profile business failures (and the corresponding audit failures by the accounting profession) that had led to investors, employees and other stakeholders suffering significant losses The goal of COSO was

3 to provide an improved and more complete framework that incorporated changes in how business was conducted and was one of several attempts by the accounting profession to respond to the perceived failures of public accounting firms in the series of business failures and the enacted Sarbanes-Oxley Act of In the 2004 guide Enterprise Risk Management (ERM) was defined as follows: Enterprise risk management is a process, effected by an entity s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and management risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (COSO, 2004) These efforts have been integrated into changes in professional standards within the accounting profession as it relates to audit engagements. The current professional standards promulgated by the American Institute of Certified Public Accountants (AICPA, 2007 ) described internal risk in terms of two identifiable components: (1) inherent risk (IR) the susceptibility that an account or class of transactions contained within the financial statements or underlying records could be materially misstated, either individually or when aggregated with other misstatements, and (2) control risk (CR) the susceptibility that an inherent risk misstatement could occur and not be prevented or detected by the internal control system (policies and procedures) established by the corporation. (AICPA, 2007) These two components when considered together form what may be labeled Risk of Material Misstatement (RMM) the professional assessment of both inherent and control risk when determining the planning, completion and conclusion of an audit engagement. However, RMM is only one aspect of the issues involved when professionals are associated with services that involve risk and describes the risks from the perspective of the corporation and not the accounting professional. The CPA is not able to directly manage IR and thereby control it since it is a function of the inherent nature of an account (such as cash) and/or classes of transactions (such as Internet-based sales). Equally important is that the CPA is not able to manage (and thereby control) CR since it is the result of decisions, policies, procedures and the resulting environment in which events and activities are recorded in the general ledger system and are the underlying documentation for summarized data in the financial statements created by the board of directors and management. However, the CPA should be able to evaluate the adequacy of the client s efforts to create a reasonable internal control environment that will address adequately the IR in their financial reporting system (AICPA, 2007). External Risk The certified public accountants (CPAs) engaged to audit financial statements prepared by a client s financial reporting systems are required to assess the RMM describing a client s internal risk (both IR and CR). However, two other areas of risk

4 to be considered in order for the professional to develop a complete understanding and consideration of the entire spectrum of risk in an audit environment - detection risk and audit risk. Detection Risk (DR) the failure by the auditor to detect and assess correctly the internal (to the corporation) risk factors and thereby not correctly assessing risk and thus being associated with misleading financial statements and an incorrect audit report. Auditors attempt to manage this risk by considering to areas of risk: (1) tests of details risk (TD) or the risk that audit procedures did not detect material weaknesses in the client s internal control system that underlies its financial reporting system, and (2) substantive analytical procedures risk (AP) or the risk that audit procedures applied beyond those test of details procedures did not detect material weaknesses in the financial statements produced by the client s financial reporting system. Audit Risk (AR) the cumulative risk that an auditor is associated with materially misstated financial statements by incorrectly assessing the various components of risk during an audit and is a cumulative perspective of all risk factors (inherent, control and detection). The AICPA describes a general model for understanding the general relationship of audit risk and the other risk components described above and thereby control overall risk of releasing a report associated with a set of financial statements by the use of numerical calculations. AR = RMM x DR RMM = Inherent Risk (IR) x Control Risk (CR) DR = Detection Risk The external auditor can manage (and thus control) DR during audit planning and the subsequent application of audit procedures (TD and AP) and are found in common audit practice guides used within the profession. (AICPA, 2007 and AICPA, Internal Control, 2005) The rationale is simple, the auditors wish to reduce or restrict their legal exposure or liability to investors, employees and other stakeholder groups. Evidence gathered by CPAs during the conduct of an audit of financial statements prepared (and thus subsequently published or distributed) in a client s financial reporting system should also be examined from two other perspectives: (1) the detection of fraud, and (2) the impact of technology on the financial reporting system and the related internal control system. Fraud Detection The importance of fraud is viewed in the context of negligence. Two degrees of negligence are important in understanding of it in relation to audit risk and fraud: ordinary negligence or the lack of reasonable care when performing services, and gross negligence or a lack of even minimum care when performing services. The

5 profession view is found in AICPA (2007) where fraud is defined and described as an: intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage. Two types of misstatements resulting from fraud are relevant to the auditor s consideration in a financial statement audit: misstatements arising from fraudulent financial reporting and misstatements arising from misappropriation of assets. In the AICPA (2007) the responsibility to be assumed by the auditor: Although the auditor has no responsibility to plan and perform the audit to detect immaterial misstatements, there is a distinction in the auditor s response to detected misstatements depending on whether those misstatements are caused by error or fraud. When the auditor encounters evidence of potential fraud, regardless of its materiality, the auditor should consider the implications for the integrity of management or employees and the possible effect on other aspects of the audit. The accounting profession attempts to use these definitions when assessing audit risk, determining DR (TD and AP) and determining the implications (effectiveness) of a client s internal control system (IR and CR) which should designed to provide reasonable assurance regarding the achievement of objectives as described by COSO in its 2004 framework: (1) effectiveness and efficiency of operations, (2) reliability of financial reporting, and (3) compliance with applicable laws and regulations (COSO, 2007). Auditing Computer-based Information Systems With in the accounting professional is minimal guidance as to how auditors should gather evidence to form the basis for their report which will be issued with a client s audited financial statements. Three common approaches utilized by CPAs and learned from experience by some of the researchers are: (1) auditing around the easiest and more common approach used within the profession is to compare known inputs with outputs generated by a client s information system, (2) auditing through the more difficult approach for CPAs to use since it requires a level of indepth knowledge about information systems and technology that most CPAs do not possess nor do they have the technical expertise to obtain the level of understanding of technical (electronic) control procedures in place by the information system, and (3) auditing with computer aided tools or the practice of using computer technology to automate and/or simplify the audit process (Wikipedia, 2007). The implications for the accounting profession to continue to select the more traditional approach

6 (auditing around the computer) raises the question as to whether or not CPAs are adequately evaluating their audit risk (AR) and the detection risk (DR) component correctly during planning for a financial statement audit, and, thereby, actually increasing their exposure to claims of gross negligence and fraud. Circumvention & Fraud Risk In general there it is assumed that in today s environment a business will use technology. In fact, the level of usage is described by Montague (2007) as 90% of all records are now maintained in electronic format and 70% of those are never printed out in hard copy. Current research focused on one aspect of evidence gathering by the CPA during a financial statement audit the circumvention of the board of directors and managements internal control system policies and procedures. This circumvention is of interest since the corporate environment of today includes a networked information technology (IT) professional unit that utilizes virus scanning tools, firewalls, network operating system features to manage the access to the company s system. Most of the attention is focused on the use of well-known tools or procedures such as matching user names to passwords and the use of firewalls to reduce the intrusions by hackers. Equally important to the internal efforts under COSO business guidelines is the ability of auditors to know how to prevent and when necessary to detect errors or irregularities. Thus, in today s network environment an auditor must have a greater level of an understanding of intrusion tools which could be used for fraudulent activities and ways to detect the misuse of such tools. These tools that can be easily be used to circumvent existing security procedures in a computerbased information system and enable unauthorized access to individuals that may wish to obtain company information-data and/or cause malicious harm to the networked system. An understanding of the potential existence of such tools and their usage is important to financial statement auditors and specialized auditors such as fraud examiners and forensic accountants who are engaged to determine the nature, level and implications of activities which are suspicious of being fraudulent including the inappropriate use of company assets-resources including company information-data and use of its information system for questionable activities. Several intrusion techniques (or tools) could be identified as tools for circumvention efforts. The current research focused on only one of these Port Knocking Individuals assigned the responsibility to complete tests of details and apply substantive tests need at a minimum an awareness of intrusion tools such as port knocking when assessing a computer system to determine if it will prevent and/or detect efforts that are considered fraudulent. If an auditor is to be effective in managing audit risk (AR) and provide legal defenses against claims of gross negligence or fraud greater knowledge of such activities is crucial. Pork Knocking serves as the basis for an illustration of a circumvention scenario that could be non-

7 readily detected but could have significant consequences to the client and other relying upon the CPA to detect fraudulent during an audit of financial statements. Port Knocking The circumvention method of Port Knocking was described in by Krzywinski as a process for a remote user to connect to a server when the port (service) is closed and a firewall is in place. The remote user sends a sequence of requests to the server. All of the ports are closed and attempts are logged by the firewall system that also contains software to monitors the firewall's logs. However, the software will open a given port when a correct sequence of port attempts is detected. When this happens the remote user can then access the requested port. This is a form of "a stealthy method of authentication and information transfer to a networked machine that has no open ports" (Krzywinski, 2003). The transmission of any type encoded information is the link to where fraudulent activities can become a consideration to an auditor. A Simple Scenario of Port Knocking In simple terms port knocking refers to the electronic interactions between two computers as one attempts to open a closed port and thus pass through the second s firewall. The IT unit as part of its responsibility manages the networked system including the firewall (good) and the ability of individuals to use of port knocking to pass messages between computers (individuals) in a manner that bypasses or circumvents the normal network security features (bad). How can port knocking work? Consider a simple scenario - suppose that an underpaid employee agrees to be involved in a scheme to provide internally developed calculations used in the standard cost system when the business is developing competitive bids. These bids will form the basis for a significant portion of annual revenue when the contract is awarded. The costs are considered sensitive and are carefully guarded from release to the industry association and news media due to the highly volatile industry. The knowledge of these costs by competitors could result in successful competitive bids by others and result in loss revenue for the business. The use of a computer backdoor which had not been closed by the IT staff to introduce a surrogate virus program allowing someone to insert into the system a program that permits the altering of system access logs to conceal activities from the obvious detection by system auditors (Magruder, 1992). By accessing the system via the firm s Intranet (for example, the shipping/receiving department), a transparent communication operation using port knocking could be established allowing a person in cost accounting (underpaid employee) to transmit coded data to another in the shipping/receiving unit (co-conspirator) who in turn can transfer the coded data to the external person. The two employees are able to pass coded

8 information between their locations internally. Generally, the businesses firewall would not be effective since both the sender and receiver are both internal in the system (e.g., on the same side of the firewall used by the system). External transmissions from the shipping/receiving department are numerous and routine and the firewall is structured to permit more ready transmission from this location to external computers resulting in the firewall not easily detecting transmissions from this location. In addition, the transmission out is not monitored as extensively as the in-coming transmission which was designated a higher priority for internal control purposes. In essence, the conspirators would be able to transmit sensitive data to others outside the corporate system in a manner that is not easily detected. The potential impact of circumvention tools, such as Port Knocking, are not being considered in the auditor s current approach to determining and managing audit risk as established by the accounting profession. The impact of technology is a factor that is not adequately included in audit risk decisions. Circumvention - Can This Be Done? Can this be done? The answer is yes. It can be done easily by anyone with minimal programming knowledge such as a part-time student and full-time employee in shipping/receiving department of the hypothetical company. Most companies use a client-server environment and, thus, those internal to the company (cost accounting and shipping/receiving clerks) simply need ta simple software module (program) written in a language such as perl instructing the network server to take the message, map the characters to predefined ports and send the message to the receiver computer client. Both clerks and the external coconspirator would install and use the same module and thus have the same port mapping information and decoding features for messages. One very important aspect is this process is meant to be as "invisible" as possible, so the information is not sent all at once but rather sent over (perhaps) an extended period of time to minimize monitoring software detecting a pattern of unusual behavior. At most, a stray packet here and there may be detected if the network utilizes a sniffer program; however, typically an internal sniffer program seldom is used since efforts are directed toward the detection of outside intrusions attempting to enter the firm s system. Sending out coded data becomes easy. An indepth discussion of the programming for port knocking was described by Magruder (2005). Early the messages could only be sent during working hours since messages sent after working hours may more easily be detected by the system. CONCLUSIONS Several types of risk are considered by the auditor from the two traditional perspectives of internal and external to a client organization. However, these risk factors are changing due to changes in the global marketplace. One concern is the auditor s use of descriptive methods which do not adequately consider significant changes in business technology usage. A significant portion of all business records

9 being maintained electronically as well as most are not converted to hard copy results in these traditional descriptive efforts have the opposite effect of what is intended. Rather, than improving the profession s management of audit risk the adherence to the traditional views of audit risk actually have the potential to increase the profession s risk during audits of financial statement. The current research explored one aspect of the audit risk issue - the potential impact of technology on the risk to the auditor of failing to detect fraudulent activities within a client s internal control system. REFERENCES AICPA Audit Committee Toolkit, Internal Control: A Tool for the Audit Committee, AICPA, The AICPA Audit Committee Toolkit, 2005, Basics of Internal Control, page 1. AICPA, Professional Standards, Vol. I (July 7, 2007), AU 312, pages Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management Executive Summary, September 2004, pages v - 2. Committee of Sponsoring Organizations of the Treadway Commission, Internal Control Integrated Framework - guidance on Monitoring Internal Control Systems, Discussion Document, September 2007, page 3. In Wikipedia, Computer Aided Audit Tools, Krzywinski, M., Port Knocking Network Authentication Across Closed Ports, SysAdmin Magazine, 2003, 12: Magruder, J. Scott; and Lewis, Stanley X., Jr.; "Espionage Via Viruses," COMPUTER FRAUD & SECURITY BULLETIN, (January 1992), pp Magruder, Scott; Lewis, Stanley X. Jr.; and Chen, Kuo Lane; Sending Messages Via Port Knocking; 2005 Information Resources Management Association International Conference Proceedings; San Diego, California; May 15-18, 2005; pages Montague, Brian A., Report from Counsel Comments on Recent Legal Developments and Trends from Law Offices of Brian A. Montague, PLLC, Navigating Electronic Discovery Rules, Fall 2007, page 4. Treadway Commission, Internal Control Integrated Framework, 1992.