114
A Practical Guide to Security Assessments
that make up the operating income and the changes in these numbers from the prior
year are worth reviewing when preparing for a security assessment, as those vari-
ances might indicate changes to the business or other relevant events. The high-level
line items that make up the operating income include revenues, cost of goods sold,
and selling, general, and administrative expenses.
The revenue number might be broken up into more granular components based
on the type of business it is. Significant fluctuations in the revenues over time should
be explained. Trends can be due to market conditions and be completely expected or
they may be due to other conditions in the company. For many companies affected
by the economic downturn in 2002, reduction in revenues was expected and fore-
casted at that time. The key is that the trend and its effect on the business should
be explained; from the explanation, you can determine whether any impact on the
security assessment is likely. For example, if a company is continuing to have less
revenue in a particular division, there may be a plan to discontinue certain products
and services. This will certainly impact a security assessment because those pro-
cesses and the technology that specifically support that business might be discon-
tinued, and thus you might not spend significant time on it during the security
assessment.
Similar to revenue, the cost of goods sold can be presented in a more granular
fashion depending on the company and its reporting requirements. The cost of goods
sold represents those costs directly associated with goods or services sold by the
company. Like revenues, the cost of goods sold should be reviewed over a period
of time, with any significant fluctuations explained by the client. These fluctuations
may be explained by economic conditions or by specific issues that the company
might be facing. An example of a case where differences in cost of goods sold might
impact the security assessment is if there is an unusual rise in cost of goods sold.
This could result from changes in the cost of materials (resulting in little impact on
the security assessment), changes in processes, or other changes in the organization.
If the changes resulted from changes in processes or further use of technology, this
could impact what you look at in the security assessment.
Selling, general, and administrative expenses (SG&A) generally include support
costs such as sales, back office operations such as accounting and finance, and other
support costs. SG&A should be reviewed over a period of time. Fluctuations in the
components of SG&A such as accounting, finance, and human resources (HR) could
have security implications depending on the reason for the fluctuation.
Notes to the Financial Statements
Glancing through the notes to the financial statements is valuable. The notes contain
details about line items on the financial statements that might need further clarifi-
cation. The notes also contain other information that is not reflected in the financial
statements but that companies are required to disclose. The notes are part of the
financial statements and they are audited — i.e., a third party has audited the content
of the notes and the numbers referenced in the notes. Some important pieces of
information that would be helpful in the security assessment can be extracted from
the notes. Notes vary from company to company, but some examples of important
AU1706_book.fm Page 114 Tuesday, August 17, 2004 11:02 AM