April 2003

Auditing VPNs

By Bruce H. Nearon

Virtual Private Networks (VPNs) provide a means for external users to access internal networks in a secure manner. According to generally accepted auditing standards, an auditor must gain a sufficient understanding of internal control to assess risk, plan an audit, and determine the nature, timing and extent of substantive tests. SAS 94 provides guidance to auditors on the effect of information technology on the auditor’s consideration of internal control. Based on that guidance, the auditor may choose to consider general controls, which include access controls. Since VPNs provide access to the internal network—often the same network on which the financial application resides—the auditor may consider testing the controls over VPNs.

Though the objective of a VPN is to provide secure access to the network, companies may purchase or implement VPNs that do not achieve desired security and control objectives. Thus, management and the auditor may inappropriately rely on these objectives in managing operations or issuing audit opinions.

The New York State Society of CPAs’ Technology Assurance Committee has organized a May 6 continuing professional education (CPE) morning presentation that will cover:

• Virtual Private Networks: definition, explanation and business reasons to deploy VPNs
• VPN security options, controls and common pitfalls
• Auditing VPN security

Date: Tuesday, May 6
Time: 8:00 a.m. to 8:30 a.m: registration, networking, free continental breakfast; 8:30 a.m. to 9:30 a.m.: CPE session
Presenter: John W. Verry
Location: NYSSCPA headquarters, 530 Fifth Ave. (between 44th and 45th streets), fifth floor, New York City

About the Presenter

John W. Verry, CCSA, CCSE, is a senior consultant with cqurIT, where he focuses on network, application and data security. Prior to joining cqurIT, he was with Aztec Technology Partners, where he specialized in eCommerce/Internet infrastructure and web development. Previously, Mr. Verry served as vice president of product development for Police Central, designing secure Internet-based database solutions for the law enforcement community. Mr. Verry is a frequent guest lecturer on information technology (IT) security and a special instructor at the IT Centers of Mercer Community College.

Additional Information

This NYSSCPA/Foundation for Accounting Education (FAE) CPE morning presentation is free to NYSSCPA members and $15.00 for nonmembers to qualify for one hour of CPE credit.

At the session you will get the chance to network with the profession’s and the industry’s IT leaders. Advance registration is encouraged, because seating is limited.

For additional information, contact Gary E. Carpenter at 315-487-4567 or gcarpenter-cit@worldnet.att.net or Bruce H. Nearon at 973-403-6955 or bnearon@jhcohn.com.

For more information on the Technology Assurance Committee, visit www.nysscpa.org, click on the Find Committees tab on the left-hand side of the page and then scroll down to the Technology Assurance Committee link.

Registration

To register: contact FAE at 212-719-8383 or 800-537-3635 or visit the Society’s website at www.nysscpa.org (you will need your Society member number to register). Go to the Technology Assurance Committee homepage and select “05/06/03-Auditing VPNs” located under the Free IT CPE banner.

Acknowledgments

J.H. Cohn LLP and Carpenter Information Technologies, Inc., helped provide the funding and resources for the continental breakfast, marketing and publicity, and administration of this event.