Identifying Cyber Risks in an Audit

As the frequency and severity of cyberattacks have increased, data security should be a critical part of the audit risk assessment. The Public Company Accounting Oversight Board (PCAOB) made cybersecurity one of the areas of focus for inspection about three years ago. Here’s what that project has revealed so far.

Increased scrutiny

During a June 2018 meeting of the Standing Advisory Group, PCAOB inspectors reported that public company auditors today are increasingly focused on matters related to cybersecurity. And they’re trying to adjust their audit procedures accordingly.

In recent years, PCAOB inspectors have interviewed auditors of companies that have experienced a breach into their computer systems. They’ve sought to find out how the auditors and their firms responded to the incidents.

Audit firms have provided varying levels of guidance, both when assessing risk at the start of the engagement and when uncovering a cybersecurity incident that occurred during audit fieldwork or the period under audit. “Many of the firms are actually factoring cybersecurity issues into their risk assessment at this point in time, and there is a real focus on developing real understanding about cybersecurity incidents,” reported William Powers, deputy director for technology in the PCAOB’s Division of Registration and Inspections.

Auditors have also been retaining audit evidence about what their clients have been doing to understand the breaches of their computer systems.

Beyond IT

Most companies today view cybersecurity as a business problem, not just as an information technology (IT) issue. Powers reports that, as a result,  audit committees are “extremely interested in hearing what the auditors have to say about cybersecurity and have been vocal about what their expectations are relative to what the auditors are doing on cybersecurity.”

In addition, companies and their auditors must evaluate the costs associated with cybersecurity breaches, which may not always be apparent. “Cost is like an iceberg,” Powers said. “You realize 85% of the iceberg is under the sea, and you can’t really see it. Those costs are the costs that companies are wrestling with, and certainly costs that auditors are wrestling with, when they look at financial statement presentations.”

Work in progress

The PCAOB hasn’t found any material misstatements on a public company’s financial statements as a result of a cybersecurity breach. But there is a risk that future cyberattacks may affect financial reporting. So, the PCAOB is planning to expand its inspection program this year to explore what auditors are doing to protect client and stakeholder data.

“We will be looking for their cybersecurity strategies, what is their governance, basically managing and overseeing that strategy,” Powers said. “How do they identify and prioritize risks? What kind of controls do they establish? But equally as important, how do they monitor that those controls are operating effectively?”

Specifically, the PCAOB hopes to gain insight into:

  • How companies evaluate, manage and respond to cyberrisks and cyber incidents,
  • The implications of cyberrisks and cyber incidents for financial reporting, including disclosure obligations in filings with the Securities and Exchange Commission (SEC),
  • Auditor responsibilities as part of an audit of financial statements or internal controls over financial reporting related to cyberrisks and cyber incidents, and
  • How audit firms evaluate, manage and respond to their own cyberrisks and cyber incidents.

PCAOB inspectors also want to understand how auditors establish and maintain timely communications with audit committees and external stakeholders.

Universal risk factor

The PCAOB’s inspection project targets audits of public companies. But private companies can also be victims of cyberattacks — and the effects may be even more devastating for companies with fewer resources to absorb the losses and assign dedicated staff to respond to breaches.

The PCAOB’s findings underscore the need for auditors of entities of all sizes to modify their procedures to answer key questions about cyberrisks and the effectiveness of their audit clients’ internal controls.

© 2018