Auditors have important role in cybersecurity

BY KEN TYSIAC

The steady stream of headlines about data breaches has the business community and regulators on high alert with regard to cybersecurity.

An online PwC survey of global executives and IT directors conducted early in 2013 found that detected cybersecurity incidents rose 25% over the previous year. And 31% of executives responding to EY’s Global Information Security Survey for 2013 said the number of cybersecurity incidents at their organization grew at least 5% over the previous year.

The SEC has taken notice of concerns over this issue and will hold a round-table meeting Wednesday to address cybersecurity.

In recognition of these trends, the Center for Audit Quality (CAQ) released an alert Friday to its nearly 600 public company audit firm members that summarizes external auditors’ duties with respect to cybersecurity. The CAQ is affiliated with the AICPA.

“Cybersecurity is one of the most complex and evolving issues facing public companies,” CAQ Executive Director Cindy Fornelli said in a news release. “All players in the financial reporting supply chain, including of course independent auditors, have an important role to play.”

External auditors’ duties, according to the alert, include:

  • Understanding how the company uses IT and the impact of IT on the financial statements.
  • Understanding the extent of the company’s automated controls as they relate to financial reporting. This should include an understanding of IT general controls that affect the automated controls, and the reliability of data and reports used in the audit that were produced by the company.
  • Taking into account the understanding of IT systems and controls in assessing the risks of material misstatement to the financial statements, including IT risks resulting from unauthorized access.


The audit’s focus is on access and changes to systems and data that would affect the financial statements and the effectiveness of internal control over financial reporting (ICFR), rather than the company’s overall IT platform, according to the alert.

Accordingly, the alert says execution of an audit of the financial statements and ICFR is unlikely to include areas that would address a cybersecurity breach outside that narrow area. But if a material breach is discovered, the auditor would need to consider the impact on financial reporting, including disclosures, and the impact on ICFR, the alert says.

The primary focus for auditors with respect to IT should be controls and systems in closest proximity to the application data of interest to the audit, according to the alert. These may include enterprise resource planning systems, single-purpose applications such as a fixed-asset system, and any set of connected systems that house data related to the financial statements.

Ken Tysiac ( ktysiac@aicpa.org ) is a JofA senior editor.

SPONSORED REPORT

How to make the most of a negotiation

Negotiators are made, not born. In this sponsored report, we cover strategies and tactics to help you head into 2017 ready to take on business deals, salary discussions and more.

VIDEO

Will the Affordable Care Act be repealed?

The results of the 2016 presidential election are likely to have a big impact on federal tax policy in the coming years. Eddie Adkins, CPA, a partner in the Washington National Tax Office at Grant Thornton, discusses what parts of the ACA might survive the repeal of most of the law.

COLUMN

Deflecting clients’ requests for defense and indemnity

Client requests for defense and indemnity by the CPA firm are on the rise. Requests for such clauses are unnecessary and unfair, and, in some cases, are unenforceable.