As auditors, we gather information from the client by conducting interviews, obtaining schedules and documents. Oftentimes, these information are sensitive in a manner by which it can prejudice the position of the client/company should these fall into the hands of the wrong parties. Auditors are expected to handle these information in a professional fashion.
Client information or data (other than those obtained through interviews) usually come in the form of physical documents or electronic files. Electronic files are normally transferred between terminals via electronic media like floppy disks, CD’s, and USB flash drives.
The transfer of sensitive client data doesn’t just happen between the client and the auditor. Ordinarily, electronic documents are as well transmitted between and among the engagement team members for the purpose of review, delegation of duty, or simply for information of everyone.
Handling client data, especially electronic data, should not be presumed. There can be IT specialists in the client who may be cognizant of and are on guard about the company’s information from being misplaced. Well, that is what they are there for in the first place.
In one incident during fieldwork in the client premises, while on break for lunch, a team member left his/her USB flash drive attached to the USB port of the laptop. The IT manager happened to stop by our working area and pulled the device off the computer. The IT manager then questioned such a practice. He asked if we have any such policy regarding some sort of encryption of data while being stored in an external device.
The computer was locked, fine. What about that external drive, which anyone can simply draw away for any malicious intent, virtually strewn over the workplace?
Well, he made his point there. In the course of our kind of work, security of data while being stashed in external media is very important. We may be able to afford to lose that disk (and the cost that goes with it) for being careless, but the data contained in it, well especially for the client, it’s priceless. Integrity can be at stake.
A value added service, indeed, is enhanced by being well aware of client data security.
So, now, let’s take a look at how we can heighten our data security. One solution, of course, is the use of data encryption.
There are actually flash drives that provide automatic data encryption offered in the market. Files are automatically encrypted after they are saved into the disk. However, I would like to point out a freeware that is capable of encrypting data not only in flash drives, but also in local hard disks, CD’s, and even in floppy disks.
Truecrypt is a software system for establishing and maintaining an on-the-fly-encrypted volume (data storage device). On-the-fly encryption means that data are automatically encrypted or decrypted right before they are loaded or saved, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys.
One major advantage of Truecrypt is, well, it is free. You can download it from their site, install and run it in your computer. You will need to log in as administrator to install the program, though. But after installation, you can freely run the program even without administrator privileges anymore.
Another feature of this software is that it can run in a so-called “traveller mode”, which means that it does not have to be installed on the operating system under which it is run. However, again you need administrator privileges in order to be able to run Truecrypt in “traveller mode”. (Anyway, you can read the Truecrypt User Guide from their site to know more about how this program really functions.)
Nevertheless, on a conclusion, with the help and cooperation of the IT department, we can surely deliver a value added service to our client when equipped with better awareness of data security.