ACCT 620: Cyber Accounting: Management and Compliance
I. Title: SOX Compliance: Information Guidance for Organizations.
Don't use plagiarized sources. Get Your Custom Essay on
Project SOX
Just from $13/Page
II. Introduction
After securing your new MS in accounting degree, you’re feeling pretty
confident of yourself and decide to look for work in consulting. Your
favorite graduate school professor encouraged you to apply to the
international consulting firm: Kesterman International Consulting, Inc.
(KIC). You apply and are hired immediately. Congratulations!
Since you previously worked for KIC as an intern, you’re familiar with the
company’s policies and practices. Plus, some of your old colleagues still
work at KIC, which makes you feel comfortable immediately. The only
challenge is that your new supervisor, Mike, can be a bit long winded and
is known to be a micromanager. Your closest colleagues refer to him as
Mike-romanager. Nonetheless, you are excited to be working in
consulting.
Mike requests a meeting with you to discuss your first assignment. The
meeting is scheduled for your second Monday on the job at 9 AM in Mike’s
office.
Mike starts out by explaining who the client is and what they want. The
client is a private contractor, Palmer, Inc., who earns almost all of its
revenue from government contracts. Palmer hired KIC to prepare a report
that addresses its concerns regarding SOX compliance. Specifically,
Palmer would like the report to address:
a) Whether regulators are leaning toward making SOX compliance
voluntary or mandatory,
b) Whether the requirements are likely to deter insider trading and
selective disclosure of cyber incidents, and
c) The client wants a cost benefit analysis of implementing SOX at
Palmer, Inc.
Mike continues to explain that AICPA compliance with the Sarbanes Oxley
Act of 2002 (SOX Act) now embraces cybersecurity, which of course you
already knew.
Mike feels these elective/voluntary audits may open a whole new field for
cybersecurity accountants, especially from Sarbanes Oxley engagements
and he thinks you have the competencies to work as a cybersecurity
accountant or cyber-accountant. You shake your head in agreement even
though you are not sure at this point whether becoming a cyber-
accountant is your career goal.
Mike goes on explaining that:
Cybersecurity threats continue to increase and escalate.
Managers, investors, employees, customers, the board of directors,
and other stakeholders from organizations of all sizes and sectors
are seeking better and faster solutions. Further, Mike believes that
organizational leaders, including himself, are under increasing
pressure to demonstrate that they are managing these threats and
have effective processes and controls in place to prevent and
detect breaches that could disrupt their clients’ businesses, result in
financial losses, or destroy their reputation.
Mike continues:
on May 1, 2017, the AICPA published a guide for using System and
Organizational Controls (SOC) for Cybersecurity that is a market-
driven, flexible, and a voluntary reporting framework to help
organizations communicate about their cybersecurity risk
management program and the effectiveness of controls within that
program. Mike firmly believes it is important to recognize that
cybersecurity is not just an IT problem; it is an enterprise risk
management problem that requires a global solution.
Organizations can use the AICPA reporting framework, SOC for
Cybersecurity, and related criteria to enhance their cybersecurity
risk management reporting.
Further, Mike states that:
CPAs can use the SOC for Cybersecurity reporting framework to
examine and report on the effectiveness of controls to achieve an
entity’s stated cybersecurity objectives.
At this point, you’re ready to get started working, but Mike continues on as
if he is preaching to a newbie. To be respectful, you patiently sit and listen
to what Mike has to say.
The AICPA established new guidance for CPAs conducting
cybersecurity attestation engagements. Information security and
cybersecurity are two separate domains that differ but are closely
aligned.
Information security encompasses information protection,
unauthorized access, or modification of data when at rest and in
motion in all stages of information management, e.g., storage,
processing, or transit. Unlike cybersecurity risk, information
security risk could be completely within an organization and does
not necessarily involve external exposure.
Cybersecurity refers to the processes and controls implemented by
an entity to manage cybersecurity risks. Since the processes and
controls that confront cybersecurity risks also address information
security risks, the terms information security and cybersecurity are
often used interchangeably.
Finally, it seems that Mike is almost finished with his soliloquy, but he
goes on a bit longer.
From a practical standpoint, however, the difference is minor
because most entities store, process, use, and transmit information
electronically and frequently have an interface with the Internet.
The perspective with respect to cybersecurity is internet-centric and
defensive, hence the common cybersecurity concept term,”
defense in depth.
Senior management is acknowledging the new and magnified risks
inherent with doing business on the Internet. Additionally,
organizational leaders recognize that cyberspace can be used for
criminal and malicious purposes. Thus, entities must continually
develop more effective and highly targeted processes and controls
to respond to those risks. This is the new world for accountants and
auditors.
Mike asks:
Are you ready?
You respond; absolutely and leave his office to start working on the project. You
decide to conduct research before starting to prepare the client report. First, you
decide to read Commission Statement and Guidance on Public Company
Cybersecurity Disclosures, https://www.sec.gov/rules/interp/2018/33-10459 ,
which is dated February 26, 2018.
You learn that regulators such as the AICPA, the Federal Trade
Commission (FTC) and the Securities and Exchange Commission (SEC)
are becoming more prescriptive on corporate public disclosure
requirements as originally intended with the passage of the Sarbanes-
Oxley Act of 2002. While compliance audits are still voluntary, the
regulators are demanding more details on material incidents with
emphasis on promptly reporting the negative financial impact of cyber
breaches and without selective disclosure, which may influence stock
prices.
III. Steps to Completion
o Read the Commission Statement and Guidance on Public Company
Cybersecurity Disclosures
o Read An Overview of Sarbanes-Oxley for the Information Security
Professional dated May 9, 2004. To retrieve this document, go to the SANS
Institute public reading room. Login as an individual. This is a read-only
white paper. Do not copy this document.
o Read SEC TOPIC 9 – Management’s Discussion and Analysis of Financial
Position and Results of Operations (MD&A)
o Prepare the client report with in-text citations and reference to support each
opinion you express in the client report. The report will include the following
sub-headings:
Executive summary of findings
Introduction
SOX Compliance: Voluntary or Mandatory
Selective Cyber Disclosure
Cost Benefit Analysis of Implement SOX at Palmer, Inc.
Concluding comments
Reference List
IV. Deliverables
1. Client report
i. APA style format
ii. Approximately 5 pages, double-spaced, excluding the (a) cover
page and the (b) Reference page
V. Frequently asked questions & Helpful Hints
Review and refresh your memory of APA style formatting 3-4 weeks
before the assignment is due.
Prepare a draft version of your report 2 weeks before it is due.
Ask a classmate, friend, or family member to read your report before
submitting it to the Graduate Writing Center.
Submit your draft to the Graduate Writing Center before this project is due.
This free resource can be accessed in your LEO classroom.
Make edits to your report after reviewing feedback from the writing center
tutors.
Submit Project 1 on or before the due date.
Ask your supervisor (professor) questions as needed.
VI. Rubric
Please use the rubric posted in LEO for this project.
Project 1 – 3 Rubric
Top of Form
|
Ranges
|
90 – 100%
|
80 – 89%
|
79 – 0%
|
|
|
Criteria
|
Exceeds Performance Expectations
18 points
|
Meets Performance Expectations
16.02 points
|
Does Not Meet Performance Expectations
14.22 points
|
|
Critical Thinking / Originality
|
Always identifies the correct issue, collects and evaluates information, and applies logical, step-by-step decision-making processes to articulate clear, defensible ideas.
Clear evidence of originality. Quoted content includes quotation marks and correct APA in-text citation including the page or paragraph number depending on the format of the source. Non-quoted content that needs to be cited provides correct APA in-text citation. The reference list includes cited sources only. There is no evidence of copying and pasting or other types of plagiarism.
Indicates an exceptional understanding of the topic (connecting it with our readings or other sources).
|
Usually identifies the correct issue, collects and evaluates information, and applies logical, step-by-step decision-making processes to articulate clear, defensible ideas.
Clear evidence of originality. Quoted content includes quotation marks and an in-text citation that may contain errors or fail to include the page or paragraph number. Non-quoted content that needs to be cited, provides a mostly-accurate APA in-text citation. The reference list includes cited sources and may erroneously include sources that were not cited. There is no evidence of copying and pasting and or other types of plagiarism.
Indicates a satisfactory understanding of the topic.
|
Rarely identifies the correct issue, collects insufficient information, and does not apply a logical step-by-step decision-making process to articulate clear, defensible ideas.
Lacks clear evidence of original thoughts. May contain too many quotations thus rendering the paper a series of quotes and not a reflection of what the student thought about and wrote. May include inaccurate in-text citations. The reference list may erroneously include sources that were not cited, contain APA formatting errors, and or failed to provide the source for cited content. May contain evidence of copying and pasting and or other types of plagiarism.
Indicates a limited understanding of the topic, reflecting what other students have already posted or repeating information that was in the assigned reading.
Or did not submit.
|
|
Identification of the Strategic Issue/ Challenge/ Problem
|
Correctly identifies & provides accurate & detailed descriptions of the most relevant & serious issues, challenges, and/or problems facing the company. Shows superior knowledge of the company’s current financial situation & strategic issues. Provides a focused diagnosis of the issue(s) & justifies that diagnosis using evidence presented in the case.
|
Correctly identifies & provides accurate & detailed descriptions for some of the most relevant & serious issues, challenges, and/or problems facing the company. Shows above average knowledge of the company’s current financial situation & strategic issues. Provides a focused diagnosis of some of the issue(s) & justifies that diagnosis using some evidence presented in the case.
|
Does not correctly identify & provide accurate & detailed descriptions for most of the most relevant & serious issues, challenges, and/or problems facing the company. Shows below average knowledge of the company’s current financial situation & strategic issues. Does not provides a focused diagnosis of some of the issue(s) & does not justifies that diagnosis using evidence presented in the case. Or, did not submit.
|
|
Analysis of Case Specifics
|
Does not waste space reiterating information provided in the case. Chooses relevant facts & figures for the analysis, and excludes irrelevant, immaterial, & extraneous information. Examines financial and non-financial data, performs data analysis, and evaluates alternatives.
|
Wastes some space reiterating information presented in the case. Chooses some of the relevant facts & figures for the analysis, and excludes some of the irrelevant, immaterial, and extraneous information. Examines financial and non-financial data, but does not performs sufficient data analysis to determine and evaluate alternatives.
|
Wastes a significant amount of space reiterating information presented in the case. Chooses only a few relevant facts & figures for the analysis, and includes irrelevant, immaterial, and extraneous information. Examines financial and non-financial data, but does not performs sufficient data analysis to determine and evaluate alternatives. Or, did not submit.
|
|
Conclusions & Recommendations
|
Develops effective recommendations, solutions, and/or action plans that specifically solve the strategic issues, challenges, and/or problems identified as the organization’s most relevant & serious. Supports recommendation with convincing evidence.
|
Develops some effective recommendation(s) solutions, and/or action plans that specifically solve the strategic issues, challenges, and/or problems identified as the organization’s most relevant & serious. Supports recommendation(s) with insufficient and unconvincing evidence.
|
Develops only a few effective recommendation(s) solutions, and/or action plans that only tangentially address the strategic issues, challenges, and/or problems identified as the organization’s most relevant & serious. Does not support recommendation(s) with convincing evidence. Or, did not submit.
|
|
Writing Competencies
|
Clear, correct, and concise use of English grammar with no spelling or punctuation errors. Employs professional writing without colloquial language. Organization is easy to follow and congruent with graduate level writing skills.
|
Clear, correct, and concise use of English grammar with some spelling and/or punctuation errors. Employs professional writing with some colloquial language. Organization is not easy to follow but the submission is written at the graduate level.
|
Confusing, incorrect, and or wordy use of English grammar with many spelling and or punctuation errors. Employs unprofessional writing with a significant amount of colloquial language. Organization is not easy to follow and the submission is not written at the graduate level. Or did not submit.
|
Criteria
|
Exceeds Performance Expectations
10 points
|
Meets Performance Expectations
8.9 points
|
Does Not Meet Performance Expectations
7.9 points
|
|
APA Style
|
Includes sufficient credible sources from peer reviewed journals, academic, and/or professional resources. All sources are cited per APA style, including properly cited in-text citations. The reference list is complete and accurate. Wikipedia and other non-academic resources were not used.
|
Includes some credible sources from peer reviewed journals, academic, and/or professional resources. Some of the sources are cited per APA style, including properly cited in-text citations. The reference list is complete and mostly accurate. Wikipedia and other non-academic resources were not used.
|
Includes few credible sources from peer reviewed journals, academic, and/or professional resources. Many sources are not cited or incorrectly cited per APA style, including properly cited in-text citations. The reference list is incomplete and inaccurate. Wikipedia and other non-academic resources were used. Or, did not submit.
|
|
Overall Score
|
Exceeds Expectations
90 or more
|
Meets Expectations
80 or more
|
Does Not Meet Expectations
0 or more
|
Bottom of Form
