Identifying Cyber Risks in an Audit
As the frequency and severity of cyber attacks have increased, data security should be a critical part of the audit risk assessment. The Public Company Accounting Oversight Board (PCAOB) made cybersecurity one of the areas of focus for inspection about three years ago. Here’s what that project has revealed so far.
During a June 2018 meeting of the Standing Advisory Group, PCAOB inspectors reported that public company auditors today are increasingly focused on matters related to cybersecurity. And they’re trying to adjust their audit procedures accordingly.
In recent years, PCAOB inspectors have interviewed auditors of companies that have experienced a breach into their computer systems. They’ve sought to find out how the auditors and their firms responded to the incidents.
Audit firms have provided varying levels of guidance, both when assessing risk at the start of the engagement and when uncovering a cybersecurity incident that occurred during audit fieldwork or the period under audit. “Many of the firms are actually factoring cybersecurity issues into their risk assessment at this point in time, and there is a real focus on developing real understanding about cybersecurity incidents,” reported William Powers, deputy director for technology in the PCAOB’s Division of Registration and Inspections.
Auditors have also been retaining audit evidence about what their clients have been doing to understand the breaches of their computer systems.
Most companies today view cybersecurity as a business problem, not just as an information technology (IT) issue. Powers reports that, as a result, audit committees are “extremely interested in hearing what the auditors have to say about cybersecurity and have been vocal about what their expectations are relative to what the auditors are doing on cybersecurity.”
In addition, companies and their auditors must evaluate the costs associated with cybersecurity breaches, which may not always be apparent. “Cost is like an iceberg,” Powers said. “You realize 85 percent of the iceberg is under the sea, and you can’t really see it. Those costs are the costs that companies are wrestling with, and certainly costs that auditors are wrestling with, when they look at financial statement presentations.”
Work in progress
The PCAOB hasn’t found any material misstatements on a public company’s financial statements as a result of a cybersecurity breach. But there is a risk that future cyber attacks may affect financial reporting. So, the PCAOB is planning to expand its inspection program this year to explore what auditors are doing to protect client and stakeholder data.
“We will be looking for their cybersecurity strategies, what is their governance, basically managing and overseeing that strategy,” Powers said. “How do they identify and prioritize risks? What kind of controls do they establish? But equally as important, how do they monitor that those controls are operating effectively?”
Specifically, the PCAOB hopes to gain insight into:
- How companies evaluate, manage and respond to cyber risks and cyber incidents,
- The implications of cyber risks and cyber incidents for financial reporting, including disclosure obligations in filings with the Securities and Exchange Commission (SEC),
- Auditor responsibilities as part of an audit of financial statements or internal controls over financial reporting related to cyber risks and cyber incidents, and
- How audit firms evaluate, manage and respond to their own cyber risks and cyber incidents.
PCAOB inspectors also want to understand how auditors establish and maintain timely communications with audit committees and external stakeholders.
Universal risk factor
The PCAOB’s inspection project targets audits of public companies. But private companies can also be victims of cyber attacks — and the effects may be even more devastating for companies with fewer resources to absorb the losses and assign dedicated staff to respond to breaches.
The PCAOB’s findings underscore the need for auditors of entities of all sizes to modify their procedures to answer key questions about cyber risks and the effectiveness of their audit clients’ internal controls.