Statutory Audits, Information Security and the Digital Divide - Research Paper Example

 “Information security is the vehicle through which the organization's information assets are secured” (Whitman & Mattord, 2010, p. 3). This means that information security is primarily concerned with the safeguard of both hard and soft information resources in a business. The main stakeholders of information security matters include information security managers, IT managers, other managers and the end users in the organization. The narrowing of the digital divide and the increase in computer users has transformed more ordinary users of communication systems to mass communicators (Lacey, 2009, p. 5). Due to this, information can be easily misused and important ethics breached with little restriction. Thus, there is the need for controls and ethics to reduce challenges to information security. Most businesses attain information security through the institution of controls. Corporate governance rules require that the people running organizations, viz. the board of directors and top managers, institute controls and ensure they are working (Nnolim, 2007, p. 69). Information security is one of the core controls that managers need to employ. As a requirement by law, public companies need to appoint external auditors to undertake a thorough audit of the systems, operations and financial transactions of business and pass an opinion on the truth and fairness of the accounts and systems (Millichamp, 2011, p. 2). Most private companies are required to conduct external audits by important stakeholders such as banks. Information security falls under the core areas of statutory or external audits. This is governed by the Generally Accepted Accountancy Practice (GAAP) rules of the American Institute of Certified Public Accountants. Apparently, there is a strong connection among information security, increment in information security risks which comes with the bridging of the digital divide, corporate governance and statutory audit. This paper will examine The Role Of Information Security Professionals In Controlling Risks In A Period Of Fast IT Growth and the role of corporate governance and statutory audit in ensuring that those systems are working. In attaining this end, the following objectives will be met: 1. An assessment of the role of controls in combating the risk of the bridging of the digital divide and its corresponding of abuse of information. 2. A review of the role of statutory/external audits and governing rules in the AICPA Ethics in ensuring that information security systems and controls are working appropriately. 3. The responsibility of Information Technology professionals in cooperating with statutory audits during such exercises. The research will involve a critical literature review. This will involve the perusal of secondary sources and books to attain the objectives outlined above. 2.0 Literature Review This section will define the core concepts that are being reviewed in this study. This will set the framework for further analysis of the interconnectedness of the different concepts and how they work together to support organizations to keep running. 2.1 Information Security According to Nnolim (2007, p. 4), ISO defines Information Security as “The preservation of Confidentiality (ensuring that information is accessible only to those authorized to have access), Integrity (safeguard the accuracy and completeness of information and processing methods), & Availability (ensuring that authorized users have access to information and associated assets when required).” Reputation management is central to this. This sorts and classifies different interchanges within systems to ensure that all information exchanged meets a given criterion. This gives room for a proactive method of dealing with risks. Information security is, therefore, premised on these three core elements and aspects for safeguarding and protecting these values. Through this, information is prevented from abuse and misuse. Information security also comes with some important concepts and ideas. Assets include everything that has value to the organization, its business operation and its continuity (Alexander et al., 2008, p. 2). This means that information security encompasses all tangible and intangible aspects of the organization that is relevant. This includes hardware and software. Threat is a potential cause of an incident that may result in harm to the system or organization (Alexander et al., 2008, p. 2). Vulnerability refers to the weakness of an asset or group of assets that can be exploited by one or more threat (Alexander et al., 2008, p. 3). Whilst risk is the potential that a threat will exploit vulnerability, impact is the result of an information security incident (Kissel, 2010, p. 56). 2.2 Digital Divide Digital divide refers to the “socio-economic gap between communities that have access to computers and the Internet and those that do not” (Fitch, 2009, p. 7). This means that the concept is about the social and economic differences that exist between two communities, which can be attributed directly or partially to access to advance technology such as computers and the Internet. West identifies five main pointers that are responsible for the digital drift (2011, pxxvi): 1. The opportunity for businesses in the community to do business online and the potential benefits for both consumers and the business. 2. Governments and public organizations can cut down on costs and improve efficiency because of computers. 3. Computers and the Internet support in effective decision making. 4. There are cheaper ways of doing things. 5. Online transactions are convenient and make life better for people in the community. However, the digital divide is not always advantageous. Koepnick (2009) identifies that the bridging of the digital divide and the proliferation of computerized information systems pave the way for irreversible abuse of information. There is, therefore, the need for more sophisticated systems to prevent the abuse of information. This requires stronger information security systems. 2.3 Corporate Governance “Corporate governance refers to the relationship that exists between different participants and defines the direction and performance of a corporate firm” (Prasad, 2011, p. 1). Corporate governance is, therefore, a system of defining the relationship between shareholders, the board of directors and the CEO/management of an organization. Fernando (2009) goes on to state that there are two senses of examining corporate governance. In the narrow sense, corporate governance involves the relationship between a company and its shareholders. It is about how shareholders ensure that the company is controlled and run by competent people and proper systems are in place to ensure optimum results. In the wider sense, corporate governance is a regulation and control of how a business relates to its stakeholders or parties connected to the business. 2.4 Statutory Audit An audit is defined by Walton (2010, p. 202) as “an independent review of the internal activities, systems maintained and reports presented by an entity's management by external parties, appointed by shareholders.” In the United States, statutory audit is required by the Public Company Accounting Oversight Board (Greene, 2010). The PCAOB is a nonprofit corporation established by Congress to oversee the audits of public companies in order to protect the interests of investors and further the public interest in the preparation of informative, accurate and independent audit reports. The PCAOB also oversees the audits of broker-dealers, including compliance reports filed pursuant to federal securities laws, to promote investor protection (PCAOB, 2012). This requires all public companies to be audited. Also, Section 404 of the Sarbeans-Oxley Act of 2002 requires companies to be audited by an external party. 3.0 Methodology The research will examine the duty of the information security professional in an entity in relation to the main issues discussed: 1. Corporate governance 2. External audit, and 3. Changes in the digital divide. The research will examine what ethical obligations are required of the information security professional by convention and rules by the three concepts above. 3.1 Research Approach The research, therefore, examines the rules, regulations and conventions related to the three concepts through a perusal of relevant literature and sources of law. 3.2 Research Analysis & Interpretation For each item, the obligations placed on the information technology professionals would be assessed. This will be the basis of identifying various ethical requirements of information security professionals. 4.0 Results This section discusses core concepts and ideas about the three variables under discussion. The findings are collated in relation to their relevance to the information security professional. This is to be matched into further details under the discussion segment. 4.1 Corporate Governance Corporate governance became very significant in the corporate world after a series of serious financial scandals rocked major businesses (Nelson, 2010, p. 2). “The problems stem significantly and systematically from the failure of governance, oversight of risk management at the corporate legislature and regulatory recklessness” (Steinberg, 2011, pxvii). Most secondary sources cite the case of Enron and Worldcom to be attributable to poor governance and controls. Also, the management made wrong decisions and inappropriate actions which led to the demise of the companies. These issues involved connivance on the part of auditors who cooperated in these corporate scandals. Corporate governance was, therefore, advocated to deal with risks and promote responsible leadership and enhance auditing. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) made recommendations back in 1992, which required the board and management to ensure three things: legal compliance, effective and efficient operations and reliable financial reporting (Nelson, 2010, p. 7). These were implemented by a small group of companies. The spate of corporate collapses in the early 21st century caused the US government to find ways of getting people charged with corporate governance to act more responsibly. This led to the Sarbeans-Oxley Act. Section 404 of the Sarbeans-Oxley Act stated that “corporations must establish and maintain an adequate internal control structure and procedures for financial reporting.” Furthermore, in 2004, the COSO framework was modified into an integrated framework. Since the 1992, the COSO framework had succeeded in promoting responsible corporate governance. The 2004 Integrated Framework became a preventive antidote that reduced risks in corporate governance. This required the people charged with governance to carry out risk management in four categories: strategic, operations, legal and reporting matters. 4.2 Statutory/External Audit Audit in public companies in the United States is done under the rules of several groups such as the American Institute of Certified Public Accountants and PCOAB (Stickney, 2010, p. 841). The core professional standards of AICPA in statutory audit is to carry out their activities with professionalism, with regard to public interest, integrity, objectivity, due care and according to the scope and nature of the engagement (Johnstone et al., 2011, p. 39). The scope of audit includes three main types: annual financial statement audits, operation audit and special purpose audit (Ledgerwood & White, 2011, p. 392). Financial statement audits result in an opinion of the truth and fairness audits. Operation audits often end with management letters which state the weaknesses in the operation systems. Gray and Manson (2007) identify that external auditors need to measure three main risks: inherent risks, control risks and detection risks. This comes together to determine the audit risk, which is the risk that relevant issues would not be detected. The inherent risk and control risk relate to the internal control systems. If they are high, the auditor needs to increase his efforts to detect issues and vice versa. 4.3 Bridging the Digital Divide & Information Security Implications Bridging the digital divide leads to a situation where different people get more information. This increases risks for information system internal controls. Khosrowpour (2009) identifies that bridging the digital divide leads to information warfare and the abuse of the freedom of speech can be detrimental to a business' competitive position and internal controls. Also, there some privacy and confidentiality issues as well as risks with copyright laws (Khosrowpour, 2009, p. 235). As more people become IT savvy, this risk increases further. The main areas of ethical difficulty are digital security and asset security (Chander & Kush, 2011, p. 153). These things cause difficulties that can lead to the internal control systems in IT to be overridden. 5.0 Discussions In this section, we will examine the ethical position and ethical expectations of the information security professional in relation to the three variable. 5.1 Corporate Governance Information security is important to ensure the implementation of the COSO framework as a tool for risk management. Information security risks are major risks to operations, strategic position of a business, financial reporting integrity and other legal matters. The information security professional needs to provide technical advice to the management on risks. This will help the management to take better risk management decisions in relation to information security. The information security professional must also monitor the system and detect emerging technical risks. Also, they will need to take reports of new risks and act on them. Information security professionals also need to report regularly to the top level management so that they get up-to-date information about the realities. 5.2 External Audit Information security professionals are important to external auditors. First of all, they will need to help auditors to understand the system and its risks. This will help in planning the audit. Information security professionals also have to give information about the current system for operational audits and management weakness assessments. Information security professionals are required by law to be truthful in their disclosure to external auditors. They need to honor relevant ethics in dealing with auditors. 5.3 Bridging the Digital Divide & Information Security Implications With more information circulating with the bridging of the digital divide, there is the need for information security professionals to play a proactive role in the company. According to Satynaranyana (2009), the proactive system must ensure that these professionals expand the scope of the information system management structure. This should enable them to assess risks regularly and formulate choices, select the best choices and implement them. The current strategy must be reviewed regularly. 6.0 Conclusion Information security is an important part of businesses' internal control system in a world of information system advancement. Statutory auditors require honest and cooperative information security professionals to assess control risks and integrity of financial information and reports. Corporate governance also requires information security to undertake risk management efficiently. Finally, bridging of the digital divide requires a more proactive approach to information security. References Alexander, D., French, A., Taylor, A., & Sutton, D. (2008). Information security management principles. Swindon: British Computer Society. Chander, S., & Kush, A. (2011). Information security measurement & e-governance. London: Springer. Fernando, A. C. (2009). Corporate governance: Principles & practices. New Delhi: Prentice-Hall. Fitch, S. E. (2009). Digital divide: An equation needing a solution. New York: Lulu Publishing. Gray, I., & Manson, S. (2007). The auditing process: Principles, practice & cases. Mason, OH: Cengage, Greene, E. F. (2010). US regulation of international securities & derivatives. Aspen: Aspen Publishers. Johnstone, K., Grambling, A., & Ritterberg, L. E. (2011). Auditing. Mason, OH: Cengage. Khosrowpour, M. (2009). Innovations through IT. New York: IGI Group. Kissel, R. (2010). Glossary of information security terms. Darby, PA: DIANA Publishing. Koepnick, L. P. (2009). After the digital divide? Rochester: Camden House. Lacey, D. (2009). Managing the human factor in information security. Hoboken, NJ: John Wiley & Sons. Ledgerwood, J., & White, V. (2011). Transforming microfinance institutions. New York: World Bank. Millichamp, J. (2011). Auditing. London: Hodder Education. Nelson, B. (2010.) Law & ethics in global business. New York: McGraw Hill. Nnolim, A. L. (2007). A framework & methodology for information security management Cambridge: Proquest. PCAOB. (2012). PCAOB home page. Retrieved 15th September 2012 from http://pcaobus.org/Pages/default.aspx. Prasad, I. (2011). Corporate governance. New Delhi: PHI Learning. Satyanarayana, J. (2009). E-Government: The source of the possible. New Delhi: Prentice Hall India. Steinberg, R. M. (2011). Governance, risk management & compliance. Hoboken, NJ: John Wiley & Sons. Stickney, C. P. (2010). Financial accounting: An introduction to concepts, methods & issues. Mason, OH: Cengage. Walton, P. (2010). International accounting. Mason, OH: Cengage. West, J. (2011). Without a Net: Librarians bridging the digital divide. Santa Barbara: ABC-CLIO. Whitman, M. E., & Mattord, H. J. (2010). Management of information security. Mason, OH: Cengage. Read More