Professional Services Monitor: Today


June 8, 2009

NCSU Study Finds Flaws in XBRL Filings

Filed under: Accounting,Technology — psmtoday @ 9:07 am

A study conducted by two accounting professors at North Carolina State University on the SEC’s pilot XBRL program found significant flaws in the data.  The study examined filings submitted by 22 companies during the SEC’s voluntary program, and raises concerns about data quality ahead of the mandatory XBRL filing deadline for the largest 500 companies, beginning with quarter-ending June 15, 2009.

But, while the XBRL concept is promising, the study from NC State found that reports from companies that participated in the voluntary pilot program contained multiple errors. “They were poorly tagged,” [Dr. Eileen] Taylor says, “and there were fundamental errors of accounting. One report, for example, contained too many zeros – turning millions into billions.” In their abstract, the researchers note that “These errors are serious because since XBRL data is computer-readable, users will not visually recognize the errors, especially when using XBRL analysis software.” In other words, users won’t be able to spot that something is wrong.

The study, “A Comparison of XBRL Filings to Corporate 10-Ks – Evidence from the Voluntary Filing Program,” examined XBRL filings by 22 companies that participated in the SEC’s voluntary pilot program in 2006. The study was co-authored by Taylor, Drs. Al Y. S. Chen and Jon Bartley, who are both professors of accounting at NC State. The study will be presented at the American Accounting Association Annual Meeting being held in New York City, Aug. 2-5.

June 2, 2009

Security Auditor Is Sued in Credit-Card Data Breach

Filed under: Consulting,Liability,Technology — psmtoday @ 8:35 am

Savvis, a “IT infrastructure services” provider, is being sued after issuing a clean security audit to CardSystems Solutions in 2004, three months before CardSystems was hacked and compromised.  Wired’s Threat Level blog calls this the first such suit against a security auditing firm.

When CardSystems Solutions was hacked in 2004 in one of the largest credit card data breaches at the time, it reached for its security auditor’s report.

In theory, CardSystems should have been safe. The industry’s primary security standard, known then as CISP, was touted as a sure way to protect data. And CardSystems’ auditor, Savvis Inc, had just given them a clean bill of health three months before.

Yet, despite those assurances, 263,000 card numbers were stolen from CardSystems, and nearly 40 million were compromised.

More than four years later, Savvis is being pulled into court in a novel suit that legal experts say could force increased scrutiny on largely self-regulated credit card security practices.

They say the case represents an evolution in data breach litigation and raises increasingly important questions about not only the liability of companies that handle card data but also the liability of third parties that audit and certify the trustworthiness of those companies.

The case, which appears to be among the first of its kind against a security auditing firm, highlights flaws in the standards that were established by the financial industry to protect consumer bank data. It also exposes the ineffectiveness of an auditing system that was supposed to guarantee that card processors and other businesses complied with the standards.

Credit card companies have touted the standards and the auditing process as evidence that financial transactions conducted under their purview are secure and trustworthy. Yet Heartland Payment Systems and RBS WorldPay, two processors that recently experienced large breaches, were certified compliant before they were breached. And Hannaford Bros. was certified in February 2008 while an ongoing breach of the company’s system was underway.

A Visa executive told an audience earlier this month that the companies were not compliant, though auditors certified they were. “No compromised entity has yet been found to be in compliance with [the standards] at the time of the breach,” she said.

In the CardSystems case, Merrick Bank, which is based in Utah and services 125,000 merchants, sued Savvis last year in Missouri. Merrick says Savvis was negligent in certifying that CardSystems was compliant. The case was moved to Arizona five months ago but only recently assigned a judge, allowing the suit to finally move forward.

May 18, 2009

WolframAlpha and Financial Data

Filed under: Technology — psmtoday @ 10:28 am

WolframAlpha is a new search engine—”computational knowledge engine: it generates output by doing computations from its own internal knowledge base”—from Wolfram Research,. which debuted over the weekend. The Internet is alive with discussion of WolframAlpha being a Wikipedia killer and an alternative to Google.
While I personally have no interest in feeding the Wolf with mathematical minutiae, I did have a look at it’s treatment on public company data. Using General Electric as an example, WolframAlpha quickly produces a page of about 10 boxes, starting with current stock quote and fundementals (or ratios, or balance sheet, or quarterly cashflow), down to projections and daily returns compared to the S&P 500. Data is not limited to mega-cap companies, like IBM or Wal-Mart, but also smaller companies such as Meridian Biosciences and Isilon Systems. It did not, however, generate data on hometown favorites, Pyramid Breweries and Craft Brewers Alliance (formerly Redhook).
Furthermore, WolframAlpha can also combine most of an individual company’s data with another in a quick comparison.

January 17, 2008

XBRL’s Uncertain Costs

Filed under: Technology — psmtoday @ 2:29 pm

XBRL, the long-ruminating standard for extensible, modern financial data reporting, may rival SOX 404 in implementation costs, according to the SEC’s Advisory Committee on Improvements to Financial Reporting (CIFR). In addition to the technical costs to the bringing financial reporting into the near-modern age, the CIFR expresses concern on additional assurance costs. It it currently unclear whether a company’s auditor would need to provide assurance on whether the registrant properly translated its internal reporting into XBRL, once XBRL becomes mandatory.

Some of the committee’s members, including a current and former CFO, have worried that auditors’ fees for XBRL could rise to the level seen during the first few years of complying with Section 404 of the Sarbanes-Oxley Act. XBRL advocates on the panel dispute that claim. Still, the committee is acknowledging that while internally prepared XBRL documents should be independently reviewed, it should not result in a significant increase in audit fees.

One suggestion by the CIFR is a staged implementation, putting the largest 500 companies under the requirement first, large accelerated filers a year later, and then a final decision whether to extend XBRL requirements to all filers.

According to the article, fall 2008 would be the soonest the SEC would institute any XBRL requirement.

April 2, 2007

SEC Gets Its Own Audit of Internal Controls

Filed under: General,Technology — psmtoday @ 1:04 pm reviews a Government Accountability Office audit of the SEC’s own internal controls. While the SEC improved 2005 to 2006, but new problems were found.

To be sure, by 2006 the SEC had fixed 58 of the 71 weaknesses in its internal controls that the GAO had found in its 2005 audit. Besides the 13 lingering flaws, 15 new weaknesses were found. The SEC corrected 11 of thee new problems during the course of the review and successfully passed its audit last September.

The GAO said that the SEC has been lax in implementing its own policies and procedures and has not been effective in systems testing. Specifically cited problems included applications connected to both the Internet and the SEC internal network; weak database user passwords; and poorly security at physical locations.

August 9, 2006

RFID Laptop Lockdown

Filed under: Firms,PricewaterhouseCoopers,Technology — psmtoday @ 8:03 am

Making one’s way through most Big Four offices is an exercise in badge-flashing and card-swiping. Access to building floors is usually regulated, and interior doors are always controlled by keycards. A press release from AXCESS International Inc. describes a new effort in security by PricewaterhouseCoopers in Mexico City. While the press release is both thick with company jargon and short on operational details, AXCESS will be providing PwC with a RFID tracking system for sensitive assets, primarily laptops. Laptops will be embedded with a chip to enable tracking their movements in and out of secure spaces just as people are tracked by their keycards. The Big Four have had their share sensitive information loss through laptop theft, and this appears to be a direct response. Again, the press release does not make operational details too clear, but it is conceivable that PwC would be able to track not just the physical laptop but it’s entire contents as well. Microsoft’s server technology and mobile profiles give IT administrators the ability to track and audit data on individual computers. And PwC likely has additional measures than the built-in MS capabilities. Tying the laptop RFID tag to the laptop network identification ought to be quite simple, if somewhat tedious. Thus, one might expect this security system could prevent a laptop from leaving a facility based on not only its owner but also the hard drive’s contents. Or, as AXCESS puts it: “Alarms are automatically triggered if an asset leaves a controlled area without authorization. Doors can then be automatically locked, and typically wireless alerts are sent to security and responders to recover the asset before it leaves the premises.”