CPAs Have the Strengths Needed to Address Cybersecurity Risk
A new white paper from the Center for Audit Quality (CAQ) explains why CPAs play a critical role in helping organizations address the ever-growing challenges that cybersecurity presents.
“Cybersecurity challenges are stark, and they demand that every sector of the economy play a role,” CAQ Executive Director Cindy Fornelli said in a prepared statement. “The public company auditing profession will do its part by leveraging its traditional strengths while innovating in ways that can greatly enhance confidence in cybersecurity information and practices.”
CAQ’s white paper, The CPA’s Role in Addressing Cybersecurity Risk, points out three key strengths that CPA firms have in approaching cybersecurity challenges for the benefit of senior management, boards of directors, and other capital markets stakeholders:
1. Core values and attributes. Adhering to core values of independence, objectivity, and skepticism, CPAs are viewed by management and boards as trusted advisors who have a broad understanding of businesses, who receive appropriate annual training, who comply with a code of ethics, and who are subject to rigorous external quality reviews.
2. Experience in independent evaluations. Audit firms have a great deal of experience in independent evaluations, with the most common example being the financial statement auditor’s opinions on the audits of financial statements and internal control over financial reporting (ICFR).
In addition, many large and midsized CPA firms have built substantial IT practices that provide attestation and advisory services to organizations on IT security-related matters and the effectiveness of IT security controls.
3. Multidisciplinary strengths. Today’s public accounting firms employ individuals with the CPA designation and other credentials specifically related to IT and security. These include Certified Information Systems Security Professionals (CISSP), Certified Information Systems Auditors (CISA), and Certified Information Technology Professionals (CITP).
Not all that long ago, most companies relegated anything “cyber” to the IT department. But as recognition grows that cybersecurity risks include personnel practices, supply chain management, and operational decisions, more enterprise-wide approaches to managing these risks have evolved.
In fact, management and boards had limited resources for designing a framework for risk identification, response, control design and implementation, assessment, and recovery. Now there are several, along with standards, methodologies, and processes put forth by federal and state governments, industry groups, independent agencies, and other stakeholders.
Let’s look at the most common example of an objective evaluation: the financial statement auditor’s independent opinions on the audits of financial statements and ICFR.
The Sarbanes-Oxley Act of 2002 (SOX) added a requirement applicable to most public companies that management annually assesses the effectiveness of the company’s ICFR and report the results to the public. In addition, SOX requires the audit committees of most large public companies to engage an independent auditor to audit the effectiveness of the company’s ICFR.
So, it’s important to understand cybersecurity considerations for the financial statement auditor within those contexts, the white paper states. Here’s the key takeaways:
- Cybersecurity controls considered a part of ICFR would only represent a subset of the company’s enterprise-wide cybersecurity controls.
- Under current guidance, a company can determine if it is necessary to disclose cybersecurity risks in various places throughout its Form 10-K. The financial statement auditor’s responsibilities depend on whether the disclosure is included in the audited financial statements or elsewhere in the Form 10-K.
- For cybersecurity risks included elsewhere in the Form 10-K, the auditor isn’t required to perform procedures to corroborate that information. Instead, the auditor considers whether the information or the manner of its presentation is materially inconsistent with information appearing in financial statements or a material misstatement of fact.
Helping shepherd most of it, at this point, is the American Institute of CPAs’ (AICPA) development of a new voluntary cybersecurity risk management reporting framework.
The framework includes:
- Management’s description of the organization’s cybersecurity risk management program.
- Management’s assertion to the presentation of their description and whether the controls within the cybersecurity risk management program were effective to achieve the cybersecurity objectives based on a suitable set of control criteria.
- The CPA’s opinion on management’s description and the effectiveness of the controls to achieve the organization’s cybersecurity objectives.
The AICPA cybersecurity reporting framework is objectives-based and voluntary. It allows flexibility for managers and auditors to choose to reference any suitable description and control criteria in the performance of the examination.
Terry Sheridan is an award-winning journalist who has covered real estate, mortgage finance, health care, insurance, personal finance, and accounting and taxation issues for newspapers, magazines, and websites. A Chicago native and former South Florida resident, she now lives in New England.