ACCT 620 American Military University Cyber Accounting Worksheet

ACCT 620: Cyber Accounting: Management and ComplianceI. Title: SOX Compliance: Information Guidance for Organizations.
II. Introduction
After securing your new MS in accounting degree, you’re feeling pretty
confident of yourself and decide to look for work in consulting. Your
favorite graduate school professor encouraged you to apply to the
international consulting firm: Kesterman International Consulting, Inc.
(KIC). You apply and are hired immediately. Congratulations!
Since you previously worked for KIC as an intern, you’re familiar with the
company’s policies and practices. Plus, some of your old colleagues still
work at KIC, which makes you feel comfortable immediately. The only
challenge is that your new supervisor, Mike, can be a bit long winded and
is known to be a micromanager. Your closest colleagues refer to him as
Mike-romanager. Nonetheless, you are excited to be working in
consulting.
Mike requests a meeting with you to discuss your first assignment. The
meeting is scheduled for your second Monday on the job at 9 AM in Mike’s
office.
Mike starts out by explaining who the client is and what they want. The
client is a private contractor, Palmer, Inc., who earns almost all of its
revenue from government contracts. Palmer hired KIC to prepare a report
that addresses its concerns regarding SOX compliance. Specifically,
Palmer would like the report to address:
a) Whether regulators are leaning toward making SOX compliance
voluntary or mandatory,
b) Whether the requirements are likely to deter insider trading and
selective disclosure of cyber incidents, and
c) The client wants a cost benefit analysis of implementing SOX at
Palmer, Inc.
Mike continues to explain that AICPA compliance with the Sarbanes Oxley
Act of 2002 (SOX Act) now embraces cybersecurity, which of course you
already knew.
Mike feels these elective/voluntary audits may open a whole new field for
cybersecurity accountants, especially from Sarbanes Oxley engagements
and he thinks you have the competencies to work as a cybersecurity
accountant or cyber-accountant. You shake your head in agreement even
though you are not sure at this point whether becoming a cyberaccountant is your career goal.
Mike goes on explaining that:
Cybersecurity threats continue to increase and escalate.
Managers, investors, employees, customers, the board of directors,
and other stakeholders from organizations of all sizes and sectors
are seeking better and faster solutions. Further, Mike believes that
organizational leaders, including himself, are under increasing
pressure to demonstrate that they are managing these threats and
have effective processes and controls in place to prevent and
detect breaches that could disrupt their clients’ businesses, result in
financial losses, or destroy their reputation.
Mike continues:
on May 1, 2017, the AICPA published a guide for using System and
Organizational Controls (SOC) for Cybersecurity that is a marketdriven, flexible, and a voluntary reporting framework to help
organizations communicate about their cybersecurity risk
management program and the effectiveness of controls within that
program. Mike firmly believes it is important to recognize that
cybersecurity is not just an IT problem; it is an enterprise risk
management problem that requires a global solution.
Organizations can use the AICPA reporting framework, SOC for
Cybersecurity, and related criteria to enhance their cybersecurity
risk management reporting.
Further, Mike states that:
CPAs can use the SOC for Cybersecurity reporting framework to
examine and report on the effectiveness of controls to achieve an
entity’s stated cybersecurity objectives.
At this point, you’re ready to get started working, but Mike continues on as
if he is preaching to a newbie. To be respectful, you patiently sit and listen
to what Mike has to say.
The AICPA established new guidance for CPAs conducting
cybersecurity attestation engagements. Information security and
cybersecurity are two separate domains that differ but are closely
aligned.
Information security encompasses information protection,
unauthorized access, or modification of data when at rest and in
motion in all stages of information management, e.g., storage,
processing, or transit. Unlike cybersecurity risk, information
security risk could be completely within an organization and does
not necessarily involve external exposure.
Cybersecurity refers to the processes and controls implemented by
an entity to manage cybersecurity risks. Since the processes and
controls that confront cybersecurity risks also address information
security risks, the terms information security and cybersecurity are
often used interchangeably.
Finally, it seems that Mike is almost finished with his soliloquy, but he
goes on a bit longer.
From a practical standpoint, however, the difference is minor
because most entities store, process, use, and transmit information
electronically and frequently have an interface with the Internet.
The perspective with respect to cybersecurity is internet-centric and
defensive, hence the common cybersecurity concept term,”
defense in depth.
Senior management is acknowledging the new and magnified risks
inherent with doing business on the Internet. Additionally,
organizational leaders recognize that cyberspace can be used for
criminal and malicious purposes. Thus, entities must continually
develop more effective and highly targeted processes and controls
to respond to those risks. This is the new world for accountants and
auditors.
Mike asks:
Are you ready?
You respond; absolutely and leave his office to start working on the project. You
decide to conduct research before starting to prepare the client report. First, you
decide to read Commission Statement and Guidance on Public Company
Cybersecurity Disclosures, https://www.sec.gov/rules/interp/2018/33-10459.pdf,
which is dated February 26, 2018.
You learn that regulators such as the AICPA, the Federal Trade
Commission (FTC) and the Securities and Exchange Commission (SEC)
are becoming more prescriptive on corporate public disclosure
requirements as originally intended with the passage of the SarbanesOxley Act of 2002. While compliance audits are still voluntary, the
regulators are demanding more details on material incidents with
emphasis on promptly reporting the negative financial impact of cyber
breaches and without selective disclosure, which may influence stock
prices.
III. Steps to Completion
o Read the Commission Statement and Guidance on Public Company
Cybersecurity Disclosures
o Read An Overview of Sarbanes-Oxley for the Information Security
Professional dated May 9, 2004. To retrieve this document, go to the SANS
Institute public reading room. Login as an individual. This is a read-only
white paper. Do not copy this document.
o Read SEC TOPIC 9 – Management’s Discussion and Analysis of Financial
Position and Results of Operations (MD&A)
o Prepare the client report with in-text citations and reference to support each
opinion you express in the client report. The report will include the following
sub-headings:
 Executive summary of findings
 Introduction
 SOX Compliance: Voluntary or Mandatory
 Selective Cyber Disclosure
 Cost Benefit Analysis of Implement SOX at Palmer, Inc.
 Concluding comments
 Reference List
IV. Deliverables
1. Client report
i. APA style format
ii. Approximately 5 pages, double-spaced, excluding the (a) cover
page and the (b) Reference page
V. Frequently asked questions & Helpful Hints







Review and refresh your memory of APA style formatting 3-4 weeks
before the assignment is due.
Prepare a draft version of your report 2 weeks before it is due.
Ask a classmate, friend, or family member to read your report before
submitting it to the Graduate Writing Center.
Submit your draft to the Graduate Writing Center before this project is due.
This free resource can be accessed in your LEO classroom.
Make edits to your report after reviewing feedback from the writing center
tutors.
Submit Project 1 on or before the due date.
Ask your supervisor (professor) questions as needed.
VI. Rubric

Please use the rubric posted in LEO for this project.
ACCT 620: Cyber Accounting: Management and Compliance
I. Title:
Analysis of Corporate Policies: Internet Usage Policy, Computer Policy and
Privacy Policy
II. Introduction
After working as a cyber accountant an international consulting firm for a few
years, you resign to take a position in the internal audit department of a publicly
traded company. To brush up on the basics of internal auditing, you decide to
browse the Website of the Institute of Internal Auditors, North America where you
find two documents to read.
You decided to browse the Website of the Institute of Internal Auditors, North
America. After browsing the site to get a feel for this professional organization,
you, locate and read two documents:
1) 2017 standards of the International Standards for the Professional
Practice of Internal Auditing (Standards), which can be found under
Standards and Guidance and Mandatory Guidance, and
2) The Insight that Internal Brings to Cybersecurity in the IIA publication,
Tone at the Top, June 2017, Issue 82.
At the end of your first week on the job, your supervisor came to your office and
asked you to review three different corporate policies related to computer and
internet security. The supervisor emphasized that it is important for you to learn
the value of writing a policy statement and the importance of implementing
policies in organizations from management’s viewpoint and also from the
perspectives of employees, customers, and other stakeholders.
All three policies you will be updating impact the company’s accounting and
financial information systems and related financial reporting. These policies
need to be analyzed to determine what they currently include and updated for
currency. Specifically, your supervisor asked you to update the following three
policies that are currently in place in your organization:
Policy Reviews:
1. Acceptable use policy,
2. Internet use policy, and the
3. Privacy policy.
III. Steps to Completion
1. To get started, select any publicly-traded corporation, and locate its most
recent annual report.
2. Rewrite any sections of the Acceptance Use Policy, Internet Use Policy,
and Privacy Policies that you find unclear or that need updating to be
current. Note: you may have to do a search of your chosen corporation’s
website to find the above policies. This will take you some time, so please
get started on this search, early enough. You may find all 3 policies; in
many cases, you may find just one of these three policies for your
chosen corporation, most likely the Privacy Policy. Use whatever
policy (policies) you have can find for your chosen corporation to get
started on this Project.
3. Download the NIST 800-53 and the SANS Technical Institute templates.
Do a Google search to get the most recent templates.
4. As the basis for writing updates to the policies, use the templates provided
by NIST 800-53 and the SANS Technical Institute to complete your
recommendations for your supervisor.
5. For each of the three policies that you redrafted/updated/drafted from
scratch, explain the generally accepted policy guidance provided by
organizations such as NIST, AICPA and/or the ISO 27001 framework, and
by what means, practically, in simple language that your supervisor can
understand.
a. Note: The NIST, AICPA, and ISO frameworks have been vetted by
panels of experts similar to the Financial Accountings Standards
Board (FASB) issuance of Generally Accepted Accounting
Principles (GAAP).
IV. Deliverables
1. One Word document written in APA Style format.
a. In total, the document will be 8-10 pages using APA, doublespaced, excluding the (a) cover page and the (b) Reference page.
b. For each of the three policies, write your recommendation for
changes to each policy, excluding the cover sheet and reference
list.
V. Helpful tips and hints
 If needed, review APA style formatting again to prepare for writing
Project 2.
 Prepare a draft version of your report 10 days before it is due.
 Ask a classmate, friend, or family member to read your report before
submitting it to the Graduate Writing Center.
 Submit your draft to the Graduate Writing Center at least 1 week before
this project is due.



Make edits to your report after reviewing feedback from the writing center
tutors.
Submit Project 2 on or before the due date.
Ask your supervisor (professor) questions as needed.
VI. Rubric
 Please use the rubric in your LEO classroom for Project 2.
CLASS ASSIGNMENT INSTRUCTIONS
A. The goal is to attain an overall score