Viewing cybersecurity through a COSO lens

By Ken Tysiac

Cybersecurity is a constant source of concern for businesses as high-profile breaches make headlines almost daily.

Nation states, organized crime, hacktivists, and even terrorists have demonstrated the ability to compromise technology and systems used by businesses as well as individuals.

A new report released Wednesday, COSO in the Cyber Age, describes how the popular internal control framework updated in 2013 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) can help organizations evaluate and manage cyberrisks.

Cybersecurity can be viewed through the lens of the principles of the COSO framework, according to the report, in some of the following ways:

Principle 6: Organizations specify objectives with sufficient clarity to enable the identification of risks relating to objectives. In applying this principle, management can determine the levels of risk tolerance acceptable to the organization and focus on protecting the most critical information systems.

Principle 7: The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed, and Principle 8: The organization considers the potential for fraud in assessing risks to the achievement of objectives. Senior management, business, and IT personnel evaluate risks in the application of these two principles. They must understand what information systems are valuable to potential cyberattackers and understand how these attacks are likely to occur.

Principle 9: The organization identifies and assesses changes that could significantly impact the system of internal control. Updating risk assessments on a continuous basis to reflect changes that could impact cyber controls is a key to applying this principle.

Principles 10, 11, and 12: In following these principles, the organization selects, develops, and deploys control activities. Careful design and implementation of appropriate controls—after consideration of likely attack methods used by hackers—can help fulfill these principles.

Principle 13: The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. Formally documenting information requirements—and the related risk analysis and response—can help make sure that processes and controls will be executed consistently.

Principle 14: The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. Effective communications will educate all personnel on their responsibilities, as well as those responsible for managing cyberrisks, and the board of directors.

The report also suggests that organizations should ask:

  • Are we focused on the right things?
  • Are we proactive or reactive?
  • Are we adapting to change?
  • Do we have the right talent?
  • Are we incentivizing openness and collaboration?
  • Can executive management articulate its cyberrisks and explain its approach and response to such risks?

“There is growing concern at all levels of industry about the challenges posed by cybercrime,” COSO Chairman Robert Hirth said in a news release. “This new guidance helps put organizations on the right path toward confronting and managing the frightening number of cyberattacks.”

COSO is a joint initiative of five private-sector organizations dedicated to providing thought leadership on enterprise risk management, internal control, and fraud deterrence. The AICPA is a member of COSO.

Ken Tysiac is a JofA editorial director.


Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.


News quiz: Retirement planning, tax practice, and fraud risk

Recent reports focused on a survey that gauges the worries about retirement among CPA financial planners’ clients, a suit that affects tax practitioners, and a guide that offers advice on fraud risk. See how much you know with this short quiz.


Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.