Employee Access - Facebook
Posted by EYHokie
I did a quick search for security breach and up came an article about Apple getting hacked. In reading through the article, I came across a link to a Facebook post. It looks like there has been a string of high profile companies that have gotten hacked recently.
The article talks about how Facebook employee's went to a website with malware. That got me thinking! How do you control employees from an audit standpoint?
As an industry there has been a push to move towards a risk-based approach. What does that mean? For me, I believe there are several ways to look at this. My initial reaction is to approach the issue from a financial standpoint. For some companies there may be areas of the business that are just as important (i.e. customer information, credit card information, health care information, proprietary data, etc.). To focus solely on the financials (GL package and those systems feeding it) may not be enough. I hope you have already scoped out the areas of focus.
Lets stick with financials first since Facebook has already have issues (on wall street) with that. Though I will say, they have a pretty sweet gig with paying no taxes. I believe a malware virus can hit Facebook and, without knowing their accounting structure, should have little financial reporting impact.
Sure. As IT Auditors we want to dive into all the IT controls that need to be in place in the application and the database. However, lets take into consideration the bigger picture. Whats the potential risk? Ultimately it is the risk that the 10K filing is inaccurate. Is that possible from a malware virus? I suppose anything is possible, but not likely. Why? The accounting department must have strong manual controls in place. We are not in a state where the accounting department cannot step completely away from manual controls. There should still be monthly account reconciliations at a minimum.
Do I think Facebook faced a big risk? Absolutely. Did they face a financial risk, probably not. Should they work to control (either systematically or via policies/training) the websites their employees visit? Absoluately.
http://www.fastcompany.com/3005987/fast-feed/facebook-says-it-was-target-sophisticated-attack
http://www.wsav.com/story/21140135/facebook-stock-slides-after-analysts-downgrades
http://www.forbes.com/sites/robertwood/2013/02/19/tax-increases-why-facebooks-billion-dollar-income-isnt-taxed-at-all-by-irs/
The article talks about how Facebook employee's went to a website with malware. That got me thinking! How do you control employees from an audit standpoint?
As an industry there has been a push to move towards a risk-based approach. What does that mean? For me, I believe there are several ways to look at this. My initial reaction is to approach the issue from a financial standpoint. For some companies there may be areas of the business that are just as important (i.e. customer information, credit card information, health care information, proprietary data, etc.). To focus solely on the financials (GL package and those systems feeding it) may not be enough. I hope you have already scoped out the areas of focus.
Lets stick with financials first since Facebook has already have issues (on wall street) with that. Though I will say, they have a pretty sweet gig with paying no taxes. I believe a malware virus can hit Facebook and, without knowing their accounting structure, should have little financial reporting impact.
Sure. As IT Auditors we want to dive into all the IT controls that need to be in place in the application and the database. However, lets take into consideration the bigger picture. Whats the potential risk? Ultimately it is the risk that the 10K filing is inaccurate. Is that possible from a malware virus? I suppose anything is possible, but not likely. Why? The accounting department must have strong manual controls in place. We are not in a state where the accounting department cannot step completely away from manual controls. There should still be monthly account reconciliations at a minimum.
Do I think Facebook faced a big risk? Absolutely. Did they face a financial risk, probably not. Should they work to control (either systematically or via policies/training) the websites their employees visit? Absoluately.
http://www.fastcompany.com/3005987/fast-feed/facebook-says-it-was-target-sophisticated-attack
http://www.wsav.com/story/21140135/facebook-stock-slides-after-analysts-downgrades
http://www.forbes.com/sites/robertwood/2013/02/19/tax-increases-why-facebooks-billion-dollar-income-isnt-taxed-at-all-by-irs/
0 comments: