Speaker 1:
From Carr, Riggs and Ingram, this is It Figures, the CRI podcast, an accounting, advisory and industry focused podcast for business and organization leaders, entrepreneurs, and anyone who is looking to go beyond the status quo.
Ray Roberts:
Welcome to the It Figures podcast this morning. My name’s Ray Roberts. I’m the lead of the government auditing for Carr, Riggs and Ingram. I’m based in Albuquerque, New Mexico. And we’re going to talk with David Mills. David is our head of our IT group for David Mills, and he has more initials after his name than I think there is an alphabet. I don’t know how that all works. Has to be a repeat in there somewhere. But David’s very knowledgeable on it. He’s doing some special things in the government area, and I just glad to have them here.
One thing, David, we’ll go ahead and start off real quick because this is concentrating on governments and not necessarily real big governments, but what kind of problems are governments having nowadays in the cybersecurity area?
David Mills:
Yeah, so that’s a great question. And focusing on governmental agencies that are medium-sized entities, they’re probably at the biggest risk from a cybersecurity incident. Generally speaking, it’s difficult to find funding to put in the level of IT controls and especially maybe even the monitoring that needs to go along with those to really recognize when you’re having a cyber event and really be able to isolate it and thwart it. And it’s difficult a lot of times for them to do that. They have limited resources and usually have some budget constraints. But by and large, the thing that is still the most prevalent area, Ray, in this, is social engineering.
And this is kind of the most prevalent thing really across all industries. It’s very difficult now for a hacker to break in through a firewall cold. It’s doable, but it’s very difficult to do. The biggest thing that happens is they’ll do a social engineering attack in Ghana, gets somebody to reveal their username and their password or something like that. And it kind of gets them in the network, even if it’s a low level user, it gets them in the network and sort of bypasses those defenses that they’ve got set up. So, that’s probably the biggest risk and the two attack areas that we see most. And unfortunately, governmental agencies are very high value targets.
They normally have a lot of things that can be compromised. For example, ACH files for payroll, banking applications that are used that may not require true two-factor authentication. The ability to go in and maybe elevate their privilege accesses from even the lowest level access. So, pretty big risk areas there, Ray, as we see it. And that doesn’t seem to be changing too much right now.
Ray Roberts:
Sure. Yeah. I’m amazed every time that every week we get these things from IT, the scam of the week and the scam of the day. And I’m just thinking, my goodness, how the different ways they can think of it and everything with AI looks so familiar. Is there anything in particular? The one I had this past week was people trying to act like a new client and want to set up a Zoom call and they want you to download to Zoom. And our guy did great and said, “No, I’ll set up the Zoom call, all that good stuff.” Is there anything new in that area that you know of that you should be aware of?
David Mills:
You mentioned the biggest one, Ray. That’s AI. The ability to scam somebody with AI has really increased. AI tools are pretty prevalent. They’re fairly cheap. And it’s almost to the point that back in the day when you would look for things like misspellings or poor grammar or broken English to kind of alert you to an email, see, they can clean all that up now very simply with AI. One of the other things that’s a huge issue that I think is coming down the road is the ability to recreate a voice or even an image with very little data using AI to basically start a scam. One of the things that we always are worried about is obviously banking applications.
And it’s so easy now to wire money, to do an ACH transaction through those bank applications. And a lot of the controls that are in place are manual controls, which are good controls. One of the ones is what I call the old-fashioned callback. And this comes into play during this process. So, let’s say, for example, a high level user makes a call to the finance department and says, “Hey, we need to wire X to X to this company or that company.” Generally speaking, if they recognize the voice, they may do that wire. And with AI, it’s easy to take a voice simulation and actually request that. So, I’ll give you a good example. You usually have a voicemail where your voice is on the voicemail.
Well, if you can believe it, that is enough for AI to actually recreate your voice. So, if Ray Roberts is the one that can initiate a wire transfer or request somebody do a wire transfer, then they can sample that voice from your voicemail and call the person that is actually going to do the wire and imitate your voice. And so, now here comes the old-fashioned callback. Just pick the phone up and call Ray back on the phone number you know he’s going to answer. So, those are kind of the controls that we’ve got out there. And I think a lot of times we’re absolutely relying on technical controls, but some of the old-fashioned manual controls work pretty doggone well when it comes to those types of attacks.
Ray Roberts:
Yeah. I like to do it, and I like calling it the callback because for us, it gives us a chance to call and talk to our clients. It gives us a reason to reach out to them. For our governments, it’d be a chance for them to reach out and talk to their vendors that are important to keep those relationships and things like that. It’s the hidden benefits to trying to be safe that you don’t pay attention to sometimes, but they’re really getting crazy on that. What kind of test work would you do? First of all, one thing I always hear of is the, is it NITS framework? Is that what everybody uses? Give me a little bit about on that. And then kind of tell me what CRI would do to help a small government on this.
David Mills:
Sure, sure. So, a couple of quick things there. NIST is the National Institution of Standards and Technology. That is the government agency that really has kind of taken over putting out a framework for testing, putting out a framework for best practices and what you should be looking for and what you should be seeing. And what I like about it, Ray, is it’s a framework that’s free and available to everybody. We’ve got a lot of players in the space that are putting frameworks out that basically they charge you for the framework or they charge you for the ability to use their tool to use their platform. And so, it sort of gets to be a license model.
And I’m a big proponent of when it comes to security, things should be open and things should be free. And that’s why I like the NIST framework. It is a great framework. Anybody can download it. Anybody can utilize it. It’s updated constantly, and it’s a great framework. And so, at CRI, for anything that doesn’t have a specified framework, for example, like a financial institution would have the FFIEC guidelines and things like that. That’s a specified framework, and that’s geared toward a financial institution. We utilize those, obviously, when we do IT audits of financial institutions, NAIC for insurance institutions.
But when it comes to governmental and other areas that really don’t have a specified framework, NIST is the best framework to use. It is a big framework, but it can be customized to fit exactly what is in scope for the actual governmental entity we’re looking at. Now, that’s a big deal, scoping. In a lot of cases, we’ll see, Ray, where there’ll be a general RFP go out for an IT audit. And we think that that’s really just too big of a scope for a governmental entity, even a smaller governmental entity. And let me explain to you why we think that’s just a little bit too big.
In the IT world, which is different from the financial audit world, being able to get in and perform an IT audit and have results to the client within four to six weeks, I think is imperative because in IT changes so rapidly that if you’re waiting for a report for an IT audit six months, seven months, even longer, the report and the information literally is stale by then. And so, it doesn’t necessarily give the entity what they need to actually respond to recommendations appropriately and to implement the remediation they need to do for those recommendations.
So, what we usually try to do is let the governmental entities that we work with, and they have loved this scoping, by the way, and this type of approach, we try to talk to them and say, “Let’s look at it from a specified scope perspective, either in a couple of different ways. One, let’s look at it maybe from the departmental area, or let’s look at it from a particular application area.” Now, when I say departmental area, let’s look at finance. Now, a lot of times you don’t think of finance having a lot of IT controls, but they in fact do have a lot of IT controls. And so, when we say, let’s look at the finance department, what we’re looking at are all the applications that the finance department uses.
That banking application that we were talking about earlier where they log in to actually do a wire transfer or do an ACH transfer, that accounting application for the GL and the accounts payable, maybe the accounts receivable, all of that type of thing applies in the financial departmental area. Then there’s other IT controls that are controlled by the IT department operationally for that financial area. So, for example, they have computers just like we all do. They log in to a computer initially. Normally, those initial logins are the controls around that are the IT departmental controls.
But once they’re in, pretty much it’s the application controls that take over for the normal financial departments. Things like access controls to their particular accounting system, access controls and true two-factor authentication for their banking applications. Those are critical areas that need to be audited and need to be looked at. Now, that’s not to say we don’t need these good governance documents where there’s IT policies in place and things like that, that sort of guide what we do or what the entity does from a password length perspective, a password complexity perspective, two-factor authentication perspective, that kind of thing.
But we’ve also got to go into that area and look at all of the controls they have within that governmental area or within that particular departmental area. Excuse me. So, where we talk about NIST and we talk about these departmental areas, we look at the access controls. Who has access to these accounting programs? What is the level of the access? Who can do what within what? Are there some segregation of duties that would be normal in there? Who reviews that access on a regular basis? Who actually inputs the new users? Does IT input the new users, or does the financial department input the new users into that application? So, there’s a lot of nuances that need to be looked at when you’re doing an IT audit.
And if you go in with, let’s just look at the entire government entity, it’s too much to get done in a reasonable period of time to provide those meaningful results back. So, what we’re saying is, let’s rescope these things. Let’s look at the critical departments first. Generally speaking, that’s going to be the finance department and maybe the HR department. And then let’s look at the general IT operational controls. How do they grant access to that initial login for these departments? Let’s don’t go in down the rabbit holes of everything that everybody does because you’ll never complete the scope.
And so, you pick those IT departments based on the risk that… And normally governmental entities have done some sort of risk to identify these risk year departments. And then let’s look at the audits that go around there based on this NIST framework that fit the level of complexity for that governmental entity. That gives them great results in a very quick manner. And also it allows us to price this appropriately for that governmental entity. If we just go in and it’s just a let’s do an IT audit, there’s literally no way for anybody to actually price that out because the scope is not defined well enough.
And so, we’ve seen that the governmental entities that we’ve talked to about this absolutely love this approach. And so, that’s kind of where we go in, we start testing, and all of this literally could be done virtually. So, there’s not necessarily a lot of travel expense involved. We’ve got this down to a pretty good science with testing virtually and identifying those areas. So, it gives literally gives the governmental entity the most value for an IT audit that I think that we can give them. Now, I do want to say this, Ray, that as you know, anybody can do an IT audit. Anybody that is a CPA and a CPA firm can perform a financial audit. It’s the people that make the difference in this audit world.
And that’s why we’ve assembled a team and it is a smaller team, but we’re very efficient that allows us to do a lot of different things. But we’ve assembled a team that has really good governmental experience. They’ve got really good communication skills to be able to work with the people in the financial department, not just the IT folks, but they’ve got the IT skillset to not waste the IT folks’ time. And so, that’s why we generally don’t have a big leverage down in staff. We have got senior managers and above because in order to do these audits efficiently, effectively, and in a reasonable timeframe, it takes that skillset to do it.
So, that’s kind of, I hope, answers your questions on what we do to try to help these government entities.
Ray Roberts:
Yeah, that staffing’s really a big deal. On a regular financial audit, we have to do stuff on the IT general controls, and that’s new standards are requiring more and more in that area, and we’re finding it it’s hard. I mean, so we have people that are, that’s all they do is do those general IT controls and they get good at it, they get fast at it, and they add some value to it. So, I mean, for our customers, we just want to make sure that they know that there’s something else out there beside that IT general control.
That’s the standard, that’s the absolute minimum, but it’s not at least once, twice a year, at least on our client base out in New Mexico, we’re hearing of a phishing attack or ACH where they’ll just, especially they take advantage of the ones with a construction project going on that has some big dollars getting transferred and stuff. And it’s amazing how really good these criminals are nowadays. And this will help you internal fraud too, any of this type stuff too.
David Mills:
100%. And so, you’ve got internal threats obviously going on there as well. So, that’s, again, goes back to the access controls and how they’re reviewing their access controls. The other area that we talk about a little bit from this scoping perspective is a lot of governmental entities may have a police department, they may have a court system, they may have a water department, and those really have a lot of IT nuances that are very difficult. When you start getting into police departments and courts, there’s things like CGIS systems that are very, very controlled.
And so, it’s very difficult for us to get in and do a little bit of… So, normally those things we like to keep out of scope because they’re very difficult and there’s already a large amount of controls in there based from the state auditors and things like that. But when you’re looking at finance departments, you’re looking at HR departments, you’re looking at the IT department in general, and maybe even a water department. One of the things that usually would be a scope in and of itself because of all the new complex meter reading systems that they have. They’ve got wireless meter reading systems. They’ve got applications that communicate from the truck all the way back to the billing system.
So, all of those have IT controls in them. So, that’s a way different scope than a financial department. And so, when you look at that financial department, there are a lot of insider threats, just like you say. You’ve got payroll that is normally pretty large in a government entity. And those ACH files that get sent to the bank, if they’re not protected, as you probably know this, they’re just literally a text file formatted in what’s called a NACHA format. And so, if those aren’t protected, then they’re editable prior to upload to the bank to actually perform that ACH transaction.
So, it’s conceivable that another little account could be added with a payroll that that ACH goes into the bank and it would fund it. So, now, how long before that’s discovered? Who knows? Depends on the controls. So, the protection, just things like that, that are very difficult to think about, the protection around that just one little file, and normally they’re just sitting in a file folder somewhere. And so, you got to make sure that that folder is actually protected. So, again, those are some of the nuances that we like to look at as part of this process. So, we can get into some in depth testing.
We may be able to look at, do some penetration scanning, although oftentimes that, again, for a large governmental entity, that’s, again, you’ve got to really define that scope. We can do some internal vulnerability analysis depending on what level of tools and techniques that particular entity has. So, for example, an internal vulnerability assessment, which effectively looks at the systems within a certain departmental area, if there’s an IT, or excuse me, what’s called an IP address restriction around a certain area, then we can actually scan all those devices. We can make sure that they’re up-to-date.
That’s one area that we really look at is this change management controls because that’s again, how if somebody has a foothold into the network through a social engineering attack, if they can find a system that is not up-to-date, they may be able to leverage and exploit that system. Same with the applications that are out there. So, this internal scan can actually go through, look at weak areas of the system, look at the change management level and the operating system level and the patch level that is being performed. Sometimes the smaller entities don’t have that vulnerability tool, and some of those vulnerability tools can be quite expensive to actually run on their network to see where they are.
So, a lot of times for even the little smaller entities, we’re able to do that and provide a good baseline on where they are at that particular point in time. But again, that’s one of those things that you want to do and you want to have the results of quickly so you can remediate. You can’t wait eight months. Could be already over for you.
Ray Roberts:
Yeah. Boy, this time went by fast. One thing I’m getting from this whole deal is you got to do something and you got to get started. And the way you mentioned it, by starting with the riskiest departments like finance and then go to something different and just start it and maybe come up with a plan, whoever your IT management or supervisory committee is, and just have a plan over a 3-year period to make sure the whole city or the whole government’s covered. But start with that, but just get started on this part. 100%. And that’s where we’ll end on this. I appreciate your time, David.
And as always, your wealth of knowledge makes it easy for a guy like me that only has to ask two or three questions and let you run with it. So, I appreciate the time and all the information.
David Mills:
Absolutely. Thanks, Ray.
Ray Roberts:
All right. Take care. Bye-bye.
Speaker 1:
If you want more CRI insights or are interested in learning about our firm, please visit our website at CRIADV.com. Thanks for listening to this episode of It Figures, the CRI Podcast. You can subscribe to It Figures on Spotify, Apple Podcasts, or wherever you prefer to listen to your podcasts. If you liked what you heard today, please leave us a review. CRI Advisors LLC is not a CPA firm. Assurance, attest and audit services provided by Carr, Riggs and Ingram LLC. Carr, Riggs and Ingram and CRI are the brand names under which Carr, Riggs and Ingram LLC, CRI CPA, CRI Advisors LLC, CRI Advisors or Advisors, and Capin Crouse LLC, Capin Crouse CPA, and CRI Capin Crouse Advisors LLC, Capin Crouse Advisors provide professional services.
CRI CPA, Capin Crouse CPA, CRI Advisors, Capin Crouse Advisors, Carr, Riggs and Ingram Capital, LLC, and their respective subsidiaries operate as an alternative practice structure in accordance with the AI CPA Code of Professional Conduct and Applicable Law, regulations, and professional standards. CRI CPA and Capin Crouse CPA are licensed independent certified public accounting firms that separately provide a test services as well as additional ancillary services to their clients. CRI CPA and Capin Crouse CPA are independently owned CPA firms that provide attestation services separate from one another.
CRI advisors and Capin Crouse advisors provide tax and business consulting services to its clients. CRI advisors and its subsidiaries, including Capin Crouse advisors are not licensed CPA firms and will not provide any attest services. The entities falling under Carr, Riggs and Ingram or CRI brand are independently owned and are not responsible or liable for the services or products provided or engaged to be provided by any other entity under the Carr, Riggs and Ingram or CRI brand. Our use of the terms CRI, we, our, us, and terms of similar import denote the alternative practice structure conducted by CRI CPA, Capin Crouse CPA, Capin Crouse advisors, and CRI advisors as appropriate.
