How Auditors Assess Cyber Risks
March 24, 2021 | BY Joseph Hoffman
Data security is a critical part of the audit risk assessment. If your financial statements are audited, your audit team will tailor their procedures to answer critical questions about cyber risks and the effectiveness of your internal controls. While conducting fieldwork, they’ll assess how your practices measure up and whether your company has weaknesses that may require additional inquiry, testing and disclosure.
Is cybersecurity a priority?
Most companies today view cybersecurity as a business problem, not just as an information technology (IT) issue. During the audit process, it’s important to identify the “crown jewels” of your company’s data assets, and then consider how your management team evaluates, manages and responds to cyber risks and cybersecurity incidents.
People are often the weakest link in cybersecurity. So, auditors will evaluate your company’s training, awareness and accountability policies to ensure that sensitive data is kept safe. Those policies may need to be regularly updated as 1) hackers get more sophisticated and find new ways of breaking into systems, and 2) your business environment changes.
For example, remote working arrangements during the COVID-19 pandemic have resulted in new risks as employees access data from less-secure home networks. So companies may need to modify their practices to maintain effective data security.
Auditors also consider the tone at the top of your organization. Cybersecurity should be integrated into an organization’s values and goals. Responsibility shouldn’t fall solely in the hands of your company’s IT department. After all, if your company can’t keep its intellectual property and customers safe, its ability to operate will ultimately be diminished over the long run.
What’s important to investors and lenders?
To date, the Public Company Accounting Oversight Board (PCAOB) hasn’t found any material misstatements on a public company’s financial statements as a result of a cybersecurity breach. So, stakeholders generally have confidence in the ability of auditors to evaluate and identify cyber risks.
However, audit committees and other external stakeholders recognize that there’s a risk that future cyberattacks may affect financial reporting. And they expect auditors to actively communicate about cybersecurity measures and the costs associated with breaches. The full cost of a data breach — including response and reputational damage — may not always be apparent. Financial statement disclosures should be as accurate, timely and comprehensive as possible.
An agile approach
Many traditional audit risks — such as supply chain and related party risks — tend to be fairly constant and predictable over time. But cyber risks are constantly evolving. We have experience evaluating and disclosing data security practices. Each accounting period, our audit team will take a fresh look your company’s cyber risks in today’s marketplace and modify our audit procedures as necessary. We can also help get your policies and procedures back on track, if they haven’t kept up with the times.