Could independent auditors fight Chinese cyber-crime?

by Hockey93

Expanding on one of my past posts concerning the need for improved IT audits, “Should an Independent Audit Hunt for Fraud”, posted on December 2. I read this article in the WSJ about how China is the world leader in cyber-spying and cyber-theft. Basically the article is about an investigation the U.S government launched which resulted in many acts of cyber-spying and cyber-theft being traced back to China. The investigation traced back the hacks to a number of groups in China that are backed by the Chinese military. These groups have hacked numerous times into both government agencies and big corporations. The corporations include Google, Lockheed Martin, EMC Corporation’s RSA unit, ExxonMobil, Royal Dutch Shell, Morgan Stanley, Dow Chemical, Symantec, and Northrop Grumman. These are only the hacks that have been made public. There is also a very detailed article in this month’s issue of Popular Mechanics about China cyber-spying, but you need to be a subscriber to the magazine to read the article.

While I was reading these two articles, I was thinking that more in depth IT audits could definitely help companies that are in industries that are being targeted by cyber-spying and cyber-theft. The tradition IT audit just focuses on internal controls that are put in place the keep the company’s employees from accessing information and doing things they aren’t authorized to do. I feel that IT audits should begin to really focus on the measures put in place to keep outsiders from hacking into the computer systems. An unnamed oil company in the Popular Mechanics article, was victim to hacks and was later outbid for several acquisitions by Chinese oil companies by just a few thousand dollars. The investigation by the government found that the most common motive for hacking corporations was to steal technology. This is going to lead to U.S companies losing billions of dollars of revenue and decreasing economic growth in the U.S. If more rigorous standards are enforced during IT audits, some of the cyber-theft could be prevented, potentially saving the company millions of dollars.

While it is the government’s job to do everything they can to get China to stop committing acts of cybercrime, it is the responsibility of the corporations to do everything in their power to prevent an attack or alert the company that their networks have been breached. Many of the hacks into corporations went undiscovered for months. I feel that a more rigorous and expanded IT audit could help in both of these areas. A more in depth IT audit would help ensure that a company has put in place necessary and adequate prevention and alert measures. Although increasing the scope of an IT audit would increase the costs of the engagement, the benefit definitely outweighs the cost of losing billions of dollars in revenue and technology to foreign competitors. Do you agree?


About Mark P. Holtzman

Chair of Accounting Department at Seton Hall University. PhD from The University of Texas at Austin. Worked at Deloitte's New York Office. BSBA from Hofstra University.


  1. I agree I don't think it should be the responsibility of the government to regulate this problem, and it will be a bad business practice for companies to depend on the government to instil some kind of regulation for these problems. A basic auditing practice and understanding is not only controls though detection, but though excellent prevention. By setting up the appropriate IT systems that will prevent these hacks, companies will be benefiting themselves more than they may be considering. I understand that there could be concern in regards to cost, but depending on the industry and the extent of hacks for the field, companies should consider the amount of money they could be saving and the amount of risk they could be avoiding through this approach to their controls.

  2. I definitely think that companies need to come together and develop more stringent standards for ensuring that their systems are not vulnerable to external cyber attacks. So many companies do business with one another over the internet and just because one company has strong protection against cyber threats, it does not mean that the information could not end up compromised due to the other company's lack of protection.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: