News and Resources
Risk Management Best Practices - Trusting Others
By: Linda J. Schiff
Risk Management Best Practices - Trusting Others
Information security is still a sticking point. How secure is your accounting department and the information it uses every day? What stands between it and a hacker? Or a disgruntled employee? Or even a physical theft at the office? What measures have been taken to recover lost or stolen information? Have you ever tested it to make sure it works?
Accounting departments are trusted with an enormous amount of confidential information. Everything from bank account numbers to payroll information to the names and addresses of unit owners. And yet, even the big guys in Corporate America admit that most of these departments have open floor plans and 'invisible people' who have access (like delivery and repair personnel most of which have uniforms that can be easily obtained). And don't forget about the cleaning service and sensitive documents simply being left on unattended desks. While this type of risk has not necessarily resulted in significant published losses, a case can easily be made that there is room for improvement in this area of risk management (Check out Special Assessment - A Novel by Marvin J. Nodiff, CAI Bookstore, Copyright 2002 if you might enjoy a fictional, yet close to home story about how it can go wrong).
The Physical Space
Space is a limited resource for all companies, however there are some simple solutions when establishing or updating a floor plan. Its main goal is to limit access to the accounting area to only those who need it. This can include locked drawers and offices, secure floors with elevator access and corporate identification badges. Recommendations also include taking the physical security a step further and also protecting sensitive documents in fireproof cabinets, monitoring the distribution of keys, and actually making sure the various locks are locked. Frequently companies have most of the basic security measures in place however they are not actually put into practice and checked for compliance often enough.
Hiring and Training
The accounting department employees are critical to the implementation of a successful risk management program. Careful screening of new hires is simply a must in this area and should be a practice for all new employees. This includes appropriate reference and background checks. In some cases it may be appropriate to perform a credit check, with the proper authorization. In addition, timely and on-going training regarding changes in procedures, authorized signers, access to sensitive information, banking regulations, documentation and contract terms, are important to maintaining the integrity of the accounting function. Take employee accountability a step further and build in risk management compliance as part of the department's performance reviews and reward accordingly.
Network Access
Most everyone has now established a secure network, firewalls, anti-virus scans, etc. and the respective monthly services to keep things up to date. Nevertheless, this is not an area to check off the box and move on to the next thing. This is always on the "to do" list. These investments in information security are not important, they are critical. Other areas companies can still improve are establishing reasonably timed screensavers, requiring employees to have strong and private passwords that are changed often, and where appropriate, purchase software that can monitor employees activities in the network. Many companies set up employees with access to the entire server when in reality, the function of the position only requires access to a much smaller percentage. Evaluate who really needs access to what and implement these changes quickly. Finally, when an employee leaves be sure to immediately sever the access to all information, both the physical and cyber spaces.
Audit the Accounting Department
What if you are not sure how your procedures stack up? Make an investment and hire an auditor to review your internal procedures and test them. Many times these audits will pay for themselves as more efficient processes are provided that also reduce risk. While the accounting manager may initially find the audit time consuming and challenging, the results will provide a clear direction for the future and ultimately improved service to the customers.
Sarbanes Oxley - Coming soon to an audit near you?
There is a growing push for the audits of non-public companies to begin complying with Sarbanes Oxley 404 as it is increasingly recognized as a new best practice in the industry. These compliance requirements will be a hardship on smaller and mid-sized companies as most areas will require a segregation of duties, which will require hiring more staff. Evaluating existing internal controls and segregating duties when possible is an excellent first step in risk management. This may include establishing the employees more by function than by customer and random audits of financial data to maintain accuracy and integrity.
Outsourcing
This is the ultimate in trusting others. A growing number of companies are outsourcing most if not all of the accounting functions. This can be a significant benefit in terms of economies, expertise and security. Many accounting companies have a high level of information security as a result of their area of practice. Nevertheless, privacy agreements and disaster recovery measures should still be reviewed and evaluated.
August 30, 2007
See a problem on the website? Contact Us
