Cybersecurity challenges require a response from every sector of the economy. Public company auditors can do their part by providing services to clients beyond the financial statements, according to a Center for Audit Quality (CAQ) report published Tuesday.
Auditing standards require financial statement auditors to obtain an understanding of how the company uses IT and the impact of IT on the financial statements. This includes an understanding of the extent of the company’s automated controls as they relate to financial reporting, the IT general controls that are important to the effective operation of automated controls, and the reliability of data and reports produced by the company and used in the financial reporting process.
But IT generally has an impact on clients that extends far beyond their financial statements. A company’s overall IT platform includes systems and related data that address not only financial reporting processes but also the operational and compliance needs of the entire organization.
Practitioners also can provide advisory or attestation services on company-prepared cybersecurity information, as many times public companies provide voluntary disclosures about their cybersecurity risk management.
Opportunities for auditors include:
Assessment engagements. Auditors can provide services to help companies identify key areas of cybersecurity risk, discover gaps in processes and controls, and develop effective controls.
Attestation engagements. Practitioners can perform an examination engagement in accordance with the AICPA’s attestation standards to provide an independent report on whether management’s description of the cybersecurity risk management program meets the specifications of the company’s reporting framework. The criteria in the AICPA’s SOC for Cybersecurity framework can be used to underpin such an engagement.
The report from the CAQ, which is affiliated with the AICPA, also contains considerations for boards of directors related to cybersecurity.
“As the scale and complexity of cybersecurity challenges has grown exponentially in recent years, investors and other stakeholders may find information beyond the disclosures required by the Securities and Exchange Commission helpful for decision-making,” CAQ Executive Director Julie Bell Lindsay said in a news release. “In their public interest role, auditors could bring additional discipline to voluntary cybersecurity disclosures and company cybersecurity risk management programs, enhancing stakeholders’ trust and confidence in such information.”
— Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com) is the JofA’s editorial director.