Target, Inc. Cybersecurity Report

ACCT 620: Cyber Accounting: Management and Compliance

I. Title: Target Corporation

II. Introduction

After a few years as an internal auditor, you decide to go back to consulting. Luckily, you’re hired as a cyber accountant by Sweeting International Consulting, Inc. Your boss, a former Naval officer, tasked you with assessing a hacking attack and data breach that occurred at Target, Inc. The attack occurred in the fourth quarter of 2013 and it is disclosed in the 2014 annual report.

After retrieving Target’s 2014 annual report, you plan to review the inter- relationships between the domains of accounting systems, information security and cybersecurity. Your boss (professor) instructs you to pay particular attention to the March 13, 2015 Report of Management and the Audit Report prepared by EY (formerly Ernst & Young), which was the Independent registered public accounting firm that performed the 2014 audit of Target, Inc.

Given your previous experience as an internal auditor, you’re feeling pretty confident in your knowledge of auditing and internal auditing standards.
Nonetheless, your boss reminds you of auditing concepts relevant to this case. You listen intently and take notes as he describes what to look for in order to prepare the report he requested. At the end of the discussion, you review the notes you took while he was talking:

 Confirm the names and titles of those who signed the Management Representation Letter
 Review what the signers of the Annual Report said about the:
o data breach,
o adequacy of internal controls, and the
o impact on shareholders’ investments and earnings.
 Determine whether EY provided a basis for their audit opinion and whether you agree or disagree with their audit opinion.
o Like all other audits, the EY Audit report will include an audit opinion. The opinion states whether the company’s financial statements present its financial position, results of operations, and cash flows in accordance with U.S. GAAP.
o Auditors may issue (only) the following four opinions:
 Unqualified opinion (also referred to as Unmodified)
 Qualified opinion
 Adverse opinion, or a
 Disclaimer of opinion.

 Include an explanation of the role of the Public Company Accounting Oversight Board (PCAOB), which was created by the Sarbanes-Oxley Act of 2002.
 Discuss the role of the Internal Control-Integrated Framework issued by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission (2013 Framework).
 Using the disclosure notes in the Target Annual Report, summarize where the Information system vulnerability occurred. Explain whether the attack was a supply chain vulnerability, an information security vulnerability, a cyber awareness weakness, or a combination of factors.
 Include a summary of the information system vulnerabilities you detected in Target’s Annual Report that includes how the information system was exploited. Include your conclusion as to where the vulnerabilities emanated: a) supply chain vulnerability, b) information security vulnerability, c) cyber awareness weakness, or d) a combination of factors.
 Identify professional development trainings and other educational opportunities you recommend to Target, Inc. to mitigate their risks of future attacks.
 Present your position on emerging trends and /or challenges in cyber accounting and offer suggestions for employee education and training.

Given the boss’ background as a Naval office, he is quite strict on following rules. He made it perfectly clear that he wants the draft version of your report to be reviewed by professional writers (UMUC writing tutors) and that you incorporate feedback from the professional writers into your final version.

III. Steps to Completion
 Retrieve the Target, Inc. Annual Reports for 2014 from the Target, Inc. Webpage.
o Using the Table of Contents, locate:
 Item #7: Management Discussion and Analysis of Financial Condition and Results of Operations and,
 Item #8: Financial Statements and Supplemental Data – the Report of Management on the Consolidated Financial Statements, dated March 13, 2015 and signed by Brian C. Cornell, CEO and John J. Mulligan, EVP & CFO.
 The EY Audit Report dated March 13, 2015.
 Using the notes that you took during the meeting with your supervisor, prepare a written response for each item.
 Using the written responses, you prepared in item #II above, compile your responses and create one cohesive report.
o You will need to write an introductory / executive summary of your conclusions regarding the inter-relationships among the domains of accounting systems, information security and cybersecurity. Recall the introduction suggested that you focus on the March 13, 2015: Report of Management and the Target, Inc. Audit Report prepared

by EY. You will need to write connecting sentences to make the report flow well and be sure to include a conclusion.
o Your conclusion should identify the type of opinion EY issued for Target. Justify why you agree or disagree with the EY opinion.
 When preparing the conclusion, review FASB’s definitions of
fairly and unqualified.
o Submit your draft document to the UMUC Writing Tutors. Feedback must be obtained from UMUC writing tutors, which can be accessed from your office (LEO classroom). Using feedback from the tutors, make appropriate edits as necessary before
submitting the final version of your report into your LEO assignment folder.
 To give you a feel for his expectation, the boss stated that the total length of the report should be approximately 10 -12 pages, you must use APA style format with in-text citations and a reference list.

IV. Deliverables

Target, Inc. Cybersecurity Report
 Submit a 10-12 page report, double-spaced, excluding the (a) cover page and the (b) Reference page, with citations and references in your LEO assignment folder by the due date.

V. Frequently asked questions & Helpful Hints

 Retrospectively, which management policy changes and operational practice changes did Target Corporation institute? See the annual reports and consultants’ reports from 2016 to 2018 that appear to be linked to the attack.
 Look for success stories such as Hacker linked to Target data breach gets 14 years in prison by Rachel Weiner in the September 21, 2018 edition of the Washington Post. Ruslan Bondars, the convicted criminal was a Latvian citizen; he wrote the software/malware used by other co- defendants who committed the hacking.
 ISACA is utilizing the NIST Cybersecurity Framework emphasizing a shared vernacular that is being used in cybersecurity training programs to 130,000 members around the world. See https://www.nist.gov/gov/document/cybersecurityframeworksuccess
 story-isacav6pdf.
 Review and refresh your memory of APA style formatting 3-4 weeks before the assignment is due.
 Prepare a draft version of your report 2 weeks before it is due.
 Ask a classmate, friend, or family member to read your report before submitting it to the Graduate Writing Center.

 Submit your draft to the Graduate Writing Center at least 1 week before this project is due. This FREE resource can be accessed in your LEO classroom.
 Make edits to your report after reviewing feedback from the writing center tutors.
 Submit Project 3 on or before the due date.
 Ask your supervisor (professor) questions as needed.

VI. Rubric(s)
 Please use the rubric posted in LEO for this project.

Target, Inc. Cybersecurity Report  Submit a 10-12 page report, double-spaced, excluding the (a) cover page and the (b) Reference page, with citations and references in your LEO assignment folder by the due date. V. Frequently asked questions & Helpful Hints  Retrospectively, which management policy changes and operational practice changes did Target Corporation institute? See the annual reports and consultants’ reports from 2016 to 2018 that appear to be linked to the attack.  Look for success stories such as Hacker linked to Target data breach gets 14 years in prison by Rachel Weiner in the September 21, 2018 edition of the Washington Post. appeared first on .