In a recent survey of IT security professionals by the Ponemon Institute (a research center dedicated to privacy, data protection and information security policy), 68% of respondents said that their companies experienced a security breach or incident in the past 24 months, and 57% expected a breach in the next year. Yet only 20% of respondents regularly communicated with management about cyber threats.
Earlier this year, the Center for Audit Quality (CAQ) issued an alert regarding the external auditor’s responsibilities with respect to cybersecurity matters.
Per the alert, auditing standards require an auditor to:
- Understand how the business uses IT and the impact of IT on the financial statements,
- Understand the extent of the company’s automated controls as they relate to financial reporting (including IT general controls that are important to the effective operation of automated controls and the reliability of company-produced data and reports used in the audit), and
- Use his or her understanding of the business’s IT systems and controls in assessing the risks of material misstatement of financial statements, including IT risks resulting from unauthorized access.
Significantly, the auditor’s role is limited to the audit of the financial statements and, if applicable, the internal control over financial reporting (ICFR). These responsibilities, the CAQ emphasizes, “do not encompass an evaluation of cybersecurity risks across a company’s entire IT platform.”
The CAQ notes that an audit encompasses systems and data that are merely a subset of the systems and data a company uses to support its overall business operations. The auditor’s primary focus, the alert explains, is on controls and systems that are “in closest proximity to the application data of interest to the audit.” This includes enterprise resource planning (ERP) systems, single purpose applications (such as fixed asset systems) and any connected systems that house financial-statement-related data.
The alert points out that, “given the focus on a narrower slice of a company’s overall IT platform,” a financial statement and ICFR audit in accordance with professional standards likely wouldn’t include areas addressing a cybersecurity breach.
However, keep in mind that, if the auditor learns of a material breach, he or she should consider its impact on financial reporting (including disclosures) and ICFR.
Fill the gaps
Cyber breaches typically occur through perimeter and internal network layers, which are somewhat removed from the systems examined in an external audit. As cyber threats become increasingly common, it’s critical for public companies to understand the scope of the external auditor’s responsibilities in this area and to develop a cybersecurity program that fills in the gaps.