Cybersecurity provides opportunities for auditors to serve

By Ken Tysiac

Cybersecurity challenges require a response from every sector of the economy. Public company auditors can do their part by providing services to clients beyond the financial statements, according to a Center for Audit Quality (CAQ) report published Tuesday.

Auditing standards require financial statement auditors to obtain an understanding of how the company uses IT and the impact of IT on the financial statements. This includes an understanding of the extent of the company’s automated controls as they relate to financial reporting, the IT general controls that are important to the effective operation of automated controls, and the reliability of data and reports produced by the company and used in the financial reporting process.

But IT generally has an impact on clients that extends far beyond their financial statements. A company’s overall IT platform includes systems and related data that address not only financial reporting processes but also the operational and compliance needs of the entire organization.

Practitioners also can provide advisory or attestation services on company-prepared cybersecurity information, as many times public companies provide voluntary disclosures about their cybersecurity risk management.

Opportunities for auditors include:

  • Assessment engagements. Auditors can provide services to help companies identify key areas of cybersecurity risk, discover gaps in processes and controls, and develop effective controls.
  • Attestation engagements. Practitioners can perform an examination engagement in accordance with the AICPA’s attestation standards to provide an independent report on whether management’s description of the cybersecurity risk management program meets the specifications of the company’s reporting framework. The criteria in the AICPA’s SOC for Cybersecurity framework can be used to underpin such an engagement.

The report from the CAQ, which is affiliated with the AICPA, also contains considerations for boards of directors related to cybersecurity.

“As the scale and complexity of cybersecurity challenges has grown exponentially in recent years, investors and other stakeholders may find information beyond the disclosures required by the Securities and Exchange Commission helpful for decision-making,” CAQ Executive Director Julie Bell Lindsay said in a news release. “In their public interest role, auditors could bring additional discipline to voluntary cybersecurity disclosures and company cybersecurity risk management programs, enhancing stakeholders’ trust and confidence in such information.”

Ken Tysiac ( is the JofA’s editorial director.


Get your clients ready for tax season

Upon its enactment in March, the American Rescue Plan Act (ARPA) introduced many new tax changes, some of which retroactively affected 2020 returns. Making the right moves now can help you mitigate any surprises heading into 2022.


Black CPA Centennial, 1921–2021

With 2021 marking the 100th anniversary of the first Black licensed CPA in the United States, a yearlong campaign kicked off to recognize the nation’s Black CPAs and encourage greater progress in diversity, inclusion, and equity in the CPA profession.