ACCT 620: Cyber Accounting: Management and Compliance
I. Title: SOX Compliance: Information Guidance for Organizations.
II. Introduction
After securing your new MS in accounting degree, you’re feeling pretty
confident of yourself and decide to look for work in consulting. Your
favorite graduate school professor encouraged you to apply to the
international consulting firm: Kesterman International Consulting, Inc.
(KIC). You apply and are hired immediately. Congratulations!

Since you previously worked for KIC as an intern, you’re familiar with the
company’s policies and practices. Plus, some of your old colleagues still
work at KIC, which makes you feel comfortable immediately. The only
challenge is that your new supervisor, Mike, can be a bit long winded and
is known to be a micromanager. Your closest colleagues refer to him as
Mike-romanager. Nonetheless, you are excited to be working in
consulting.
Mike requests a meeting with you to discuss your first assignment. The
meeting is scheduled for your second Monday on the job at 9 AM in Mike’s
office.
Mike starts out by explaining who the client is and what they want. The
client is a private contractor, Palmer, Inc., who earns almost all of its
revenue from government contracts. Palmer hired KIC to prepare a report
that addresses its concerns regarding SOX compliance. Specifically,
Palmer would like the report to address:
a) Whether regulators are leaning toward making SOX compliance
voluntary or mandatory,
b) Whether the requirements are likely to deter insider trading and
selective disclosure of cyber incidents, and
c) The client wants a cost benefit analysis of implementing SOX at
Palmer, Inc.
Mike continues to explain that AICPA compliance with the Sarbanes Oxley
Act of 2002 (SOX Act) now embraces cybersecurity, which of course you
already knew.

Mike feels these elective/voluntary audits may open a whole new field for
cybersecurity accountants, especially from Sarbanes Oxley engagements
and he thinks you have the competencies to work as a cybersecurity
accountant or cyber-accountant. You shake your head in agreement even
though you are not sure at this point whether becoming a cyberaccountant is your career goal.
Mike goes on explaining that:
Cybersecurity threats continue to increase and escalate.
Managers, investors, employees, customers, the board of directors,
and other stakeholders from organizations of all sizes and sectors
are seeking better and faster solutions. Further, Mike believes that
organizational leaders, including himself, are under increasing
pressure to demonstrate that they are managing these threats and
have effective processes and controls in place to prevent and
detect breaches that could disrupt their clients’ businesses, result in
financial losses, or destroy their reputation.
Mike continues:
on May 1, 2017, the AICPA published a guide for using System and
Organizational Controls (SOC) for Cybersecurity that is a marketdriven, flexible, and a voluntary reporting framework to help
organizations communicate about their cybersecurity risk
management program and the effectiveness of controls within that
program. Mike firmly believes it is important to recognize that
cybersecurity is not just an IT problem; it is an enterprise risk
management problem that requires a global solution.
Organizations can use the AICPA reporting framework, SOC for
Cybersecurity, and related criteria to enhance their cybersecurity
risk management reporting.
Further, Mike states that:
CPAs can use the SOC for Cybersecurity reporting framework to
examine and report on the effectiveness of controls to achieve an
entity’s stated cybersecurity objectives.
At this point, you’re ready to get started working, but Mike continues on as
if he is preaching to a newbie. To be respectful, you patiently sit and listen
to what Mike has to say.
The AICPA established new guidance for CPAs conducting
cybersecurity attestation engagements. Information security and
cybersecurity are two separate domains that differ but are closely
aligned.
Information security encompasses information protection,
unauthorized access, or modification of data when at rest and in
motion in all stages of information management, e.g., storage,
processing, or transit. Unlike cybersecurity risk, information
security risk could be completely within an organization and does
not necessarily involve external exposure.
Cybersecurity refers to the processes and controls implemented by
an entity to manage cybersecurity risks. Since the processes and
controls that confront cybersecurity risks also address information
security risks, the terms information security and cybersecurity are
often used interchangeably.
Finally, it seems that Mike is almost finished with his soliloquy, but he
goes on a bit longer.
From a practical standpoint, however, the difference is minor
because most entities store, process, use, and transmit information
electronically and frequently have an interface with the Internet.
The perspective with respect to cybersecurity is internet-centric and
defensive, hence the common cybersecurity concept term,”
defense in depth.
Senior management is acknowledging the new and magnified risks
inherent with doing business on the Internet. Additionally,
organizational leaders recognize that cyberspace can be used for
criminal and malicious purposes. Thus, entities must continually
develop more effective and highly targeted processes and controls
to respond to those risks. This is the new world for accountants and
auditors.
Mike asks:
Are you ready?
You respond; absolutely and leave his office to start working on the project. You
decide to conduct research before starting to prepare the client report. First, you
decide to read Commission Statement and Guidance on Public Company
Cybersecurity Disclosures, https://www.sec.gov/rules/interp/2018/33-10459.pdf,
which is dated February 26, 2018.
You learn that regulators such as the AICPA, the Federal Trade
Commission (FTC) and the Securities and Exchange Commission (SEC)
are becoming more prescriptive on corporate public disclosure
requirements as originally intended with the passage of the SarbanesOxley Act of 2002. While compliance audits are still voluntary, the
regulators are demanding more details on material incidents with
emphasis on promptly reporting the negative financial impact of cyber
breaches and without selective disclosure, which may influence stock
prices.
III. Steps to Completion
o Read the Commission Statement and Guidance on Public Company
Cybersecurity Disclosures
o Read An Overview of Sarbanes-Oxley for the Information Security
Professional dated May 9, 2004. To retrieve this document, go to the SANS
Institute public reading room. Login as an individual. This is a read-only
white paper. Do not copy this document.
o Read SEC TOPIC 9 – Management’s Discussion and Analysis of Financial
Position and Results of Operations (MD&A)
o Prepare the client report with in-text citations and reference to support each
opinion you express in the client report. The report will include the following
sub-headings:
 Executive summary of findings
 Introduction
 SOX Compliance: Voluntary or Mandatory
 Selective Cyber Disclosure
 Cost Benefit Analysis of Implement SOX at Palmer, Inc.
 Concluding comments
 Reference List
IV. Deliverables
1. Client report
i. APA style format
ii. Approximately 5 pages, double-spaced, excluding the (a) cover
page and the (b) Reference page
V. Frequently asked questions & Helpful Hints
 Review and refresh your memory of APA style formatting 3-4 weeks
before the assignment is due.
 Prepare a draft version of your report 2 weeks before it is due.
 Ask a classmate, friend, or family member to read your report before
submitting it to the Graduate Writing Center.
 Submit your draft to the Graduate Writing Center before this project is due.
This free resource can be accessed in your LEO classroom.
 Make edits to your report after reviewing feedback from the writing center
tutors.
 Submit Project 1 on or before the due date.
 Ask your supervisor (professor) questions as needed.
VI. Rubric
 Please use the rubric posted in LEO for this project.