Project SOX

ACCT 620: Cyber Accounting: Management and Compliance

I. Title: SOX Compliance: Information Guidance for Organizations.

II. Introduction

After securing your new MS in accounting degree, you’re feeling pretty confident of yourself and decide to look for work in consulting. Your favorite graduate school professor encouraged you to apply to the international consulting firm: Kesterman International Consulting, Inc. (KIC). You apply and are hired immediately. Congratulations! Since you previously worked for KIC as an intern, you’re familiar with the company’s policies and practices. Plus, some of your old colleagues still work at KIC, which makes you feel comfortable immediately. The only challenge is that your new supervisor, Mike, can be a bit long winded and is known to be a micromanager. Your closest colleagues refer to him as Mike-romanager. Nonetheless, you are excited to be working in consulting. Mike requests a meeting with you to discuss your first assignment. The meeting is scheduled for your second Monday on the job at 9 AM in Mike’s office. Mike starts out by explaining who the client is and what they want. The client is a private contractor, Palmer, Inc., who earns almost all of its revenue from government contracts. Palmer hired KIC to prepare a report that addresses its concerns regarding SOX compliance. Specifically, Palmer would like the report to address:

a) Whether regulators are leaning toward making SOX compliance voluntary or mandatory,

b) Whether the requirements are likely to deter insider trading and selective disclosure of cyber incidents, and

c) The client wants a cost benefit analysis of implementing SOX at Palmer, Inc.

Mike continues to explain that AICPA compliance with the Sarbanes Oxley Act of 2002 (SOX Act) now embraces cybersecurity, which of course you already knew. Mike feels these elective/voluntary audits may open a whole new field for cybersecurity accountants, especially from Sarbanes Oxley engagements and he thinks you have the competencies to work as a cybersecurity accountant or cyber-accountant. You shake your head in agreement even

though you are not sure at this point whether becoming a cyber- accountant is your career goal. Mike goes on explaining that:

Cybersecurity threats continue to increase and escalate. Managers, investors, employees, customers, the board of directors, and other stakeholders from organizations of all sizes and sectors are seeking better and faster solutions. Further, Mike believes that organizational leaders, including himself, are under increasing pressure to demonstrate that they are managing these threats and have effective processes and controls in place to prevent and detect breaches that could disrupt their clients’ businesses, result in financial losses, or destroy their reputation.

Mike continues:

on May 1, 2017, the AICPA published a guide for using System and Organizational Controls (SOC) for Cybersecurity that is a market- driven, flexible, and a voluntary reporting framework to help organizations communicate about their cybersecurity risk management program and the effectiveness of controls within that program. Mike firmly believes it is important to recognize that cybersecurity is not just an IT problem; it is an enterprise risk management problem that requires a global solution. Organizations can use the AICPA reporting framework, SOC for Cybersecurity, and related criteria to enhance their cybersecurity risk management reporting.

Further, Mike states that:

CPAs can use the SOC for Cybersecurity reporting framework to examine and report on the effectiveness of controls to achieve an entity’s stated cybersecurity objectives.

At this point, you’re ready to get started working, but Mike continues on as if he is preaching to a newbie. To be respectful, you patiently sit and listen to what Mike has to say.

The AICPA established new guidance for CPAs conducting cybersecurity attestation engagements. Information security and cybersecurity are two separate domains that differ but are closely aligned. Information security encompasses information protection, unauthorized access, or modification of data when at rest and in motion in all stages of information management, e.g., storage, processing, or transit. Unlike cybersecurity risk, information

security risk could be completely within an organization and does not necessarily involve external exposure. Cybersecurity refers to the processes and controls implemented by an entity to manage cybersecurity risks. Since the processes and controls that confront cybersecurity risks also address information security risks, the terms information security and cybersecurity are often used interchangeably.

Finally, it seems that Mike is almost finished with his soliloquy, but he goes on a bit longer.

From a practical standpoint, however, the difference is minor because most entities store, process, use, and transmit information electronically and frequently have an interface with the Internet. The perspective with respect to cybersecurity is internet-centric and defensive, hence the common cybersecurity concept term,” defense in depth.

Senior management is acknowledging the new and magnified risks inherent with doing business on the Internet. Additionally, organizational leaders recognize that cyberspace can be used for criminal and malicious purposes. Thus, entities must continually develop more effective and highly targeted processes and controls to respond to those risks. This is the new world for accountants and auditors. Mike asks: Are you ready?

You respond; absolutely and leave his office to start working on the project. You decide to conduct research before starting to prepare the client report. First, you decide to read Commission Statement and Guidance on Public Company Cybersecurity Disclosures, https://www.sec.gov/rules/interp/2018/33-10459.pdf, which is dated February 26, 2018. You learn that regulators such as the AICPA, the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) are becoming more prescriptive on corporate public disclosure requirements as originally intended with the passage of the Sarbanes- Oxley Act of 2002. While compliance audits are still voluntary, the regulators are demanding more details on material incidents with emphasis on promptly reporting the negative financial impact of cyber breaches and without selective disclosure, which may influence stock prices.

III. Steps to Completion o Read the Commission Statement and Guidance on Public Company

Cybersecurity Disclosures o Read An Overview of Sarbanes-Oxley for the Information Security

Professional dated May 9, 2004. To retrieve this document, go to the SANS Institute public reading room. Login as an individual. This is a read-only white paper. Do not copy this document.

o Read SEC TOPIC 9 - Management's Discussion and Analysis of Financial Position and Results of Operations (MD&A)

o Prepare the client report with in-text citations and reference to support each opinion you express in the client report. The report will include the following sub-headings:

 Executive summary of findings  Introduction  SOX Compliance: Voluntary or Mandatory  Selective Cyber Disclosure  Cost Benefit Analysis of Implement SOX at Palmer, Inc.  Concluding comments  Reference List

IV. Deliverables

1. Client report i. APA style format ii. Approximately 5 pages, double-spaced, excluding the (a) cover

page and the (b) Reference page V. Frequently asked questions & Helpful Hints

 Review and refresh your memory of APA style formatting 3-4 weeks before the assignment is due.

 Prepare a draft version of your report 2 weeks before it is due.  Ask a classmate, friend, or family member to read your report before

submitting it to the Graduate Writing Center.  Submit your draft to the Graduate Writing Center before this project is due.

This free resource can be accessed in your LEO classroom.  Make edits to your report after reviewing feedback from the writing center

tutors.  Submit Project 1 on or before the due date.  Ask your supervisor (professor) questions as needed.

VI. Rubric

 Please use the rubric posted in LEO for this project.