For example, a small entity might, due to lack of continued support for its accounting software,
               elect to use a web-based package. General controls relevant to this point of focus would be an
               investigation of the features and capabilities of the web-based package, the types of connectivity that
               are permitted to access the web-based package, the projected downtime associated with the web-
               based package, and so forth.

            Cybersecurity

            Cybersecurity overview

            Cybersecurity addresses the protection of an entity’s computers, mobile devices, data, networks, and
            other IT resources from attacks by known and unknown perpetrators. Cybersecurity internal controls
            include both general IT controls and preventive and detective IT application controls that were addressed
            previously. Cybersecurity controls also include certain controls designed to reduce the risk of specific
            types of cybercrime schemes.


            A global study by McAfee estimates that in 2014, the cost of cybercrime was $345 billion–$445 billion;
            the cost grew to $600 billion in 2018, or 0.8% of global GDP. (Note: all figures are in U.S. dollars.) The
            researchers also studied several countries to glean an understanding of regional and country variations
            on how cybercrime is accomplished. These countries included, among others, Australia, Brazil, Germany
            Japan, and the United Arab Emirates. An interesting finding was that cybercriminals will be successful
                                                                                         6
            regardless whether a country takes significant efforts against cybercrime or not.
            Cybercriminals hack into IT systems and devices (computers, laptops, tablets and other mobile devices,
            etc.) with the intent to benefit in some manner from the intrusion. These benefits can include monetary
            compensation, obtaining sensitive information, or disrupting a competitor’s online services. Many of
            these schemes place malicious software onto the victim’s device.

            Some of the more common cybercrime schemes follow. Controls to prevent and detect these cybercrime
            schemes are provided.

            Phishing — Phishing is a cybercrime scheme where sensitive information (bank account password, credit
            card details, etc.) is provided unwittingly by a user to cybercriminals. A phishing email is sent to the
            unsuspecting victim. The email appears to come from a known source and may contain logos and other
            information associated with that source. Often, the email recipient clicks on a link that directs the user to
            a perpetrator’s fictitious website, where sensitive user information is requested. This information, once
            captured by the cybercriminal, can be used for various nefarious purposes, such as obtaining loans in the
            user’s name, obtaining health care using a fictitious identification card, or stealing funds from the user’s
            bank account.




            6
              https://csis-prod.s3.amazonaws.com/s3fs-public/publication/economic-impact-
            cybercrime.pdf?kab1HywrewRzH17N9wuE24soo1IdhuHdutm_source=Pressutm_campaign=bb9303ae70-
            EMAIL_CAMPAIGN_2018_02_21utm_medium=emailutm_term=0_7623d157be-bb9303ae70-194093869
            Note that the 0.8% of global GDP calculation reflects the upper range of estimated costs.


            © 2020 Association of International Certified Professional Accountants. All rights reserved.    5-13