Cybersecurity is among the most critical risks that organizations need to address today. Management and protection of data, availability of critical systems and infrastructure, and the risk of cybersecurity threats are among the most pressing concerns for executive teams and boards of directors around the world.
Earlier this year, the U.S. Securities and Exchange Commission (SEC) published interpretive guidance to assist public companies in preparing cybersecurity risk and incident disclosures, which we covered in a March blog post. Now the Center for Audit Quality (CAQ) has created a tool to assist board members in cybersecurity risk oversight. Protiviti published a Flash Report analyzing the new tool and how it might best be applied by board members as they discuss cybersecurity risks and disclosures with management and CPA firms.
The tool, which can be downloaded from the CAQ website, is a collection of resources and questions for board members to ask of management and the financial statement auditor. Questions are organized under four key areas:
- Understanding how financial statement auditors consider cybersecurity risk
- Understanding the role of management and responsibilities of the financial statement auditor
- Understanding management’s cybersecurity risk management approach
- Understanding how CPA firms can serve as partners in oversight
Cybersecurity risk issues are numerous, complex and ever-changing, and they warrant a heightened level of awareness and discussion among stakeholders. The CAQ’s tool is designed to help start, focus and sustain that discussion.
Dialogue sparked by these questions can help clarify roles and responsibilities – from management as the first line of defense to the assurance and advisory roles of internal audit and the risks of overreliance on external auditors of financial statements as the sole source of assurance.
As the CAQ notes, a company’s overall IT environment includes systems, networks and related data that address not only financial reporting but also operational and compliance needs. This requires a view of cybersecurity risk far broader than just financial reporting.
It is important to have as inclusive a view of risk as possible. Protiviti recommends a formal assessment of both business and technology risks to provide a holistic view of all critical risks and where cybersecurity fits into that overall picture. It is also helpful to conduct an independent review of the completeness and effectiveness of the controls the organization puts in place to manage identified risks.
The pace of technological change, coupled with the rate at which organizations are applying technology throughout the organization, has made regular, or even real-time, risk assessments an essential part of the risk management process. In defining expectations for management in the cyber space and establishing clear accountabilities for results, the board should seek multiple sources of input.
The CAQ’s new tool is not meant to provide an all-inclusive list of questions, nor is it intended to serve as a checklist; rather, it provides examples of the types of questions board members may ask of management and the financial statement auditor. Nevertheless, the discussions these questions are likely to spark, combined with the cybersecurity-related resources compiled from the CAQ, the American Institute of Certified Public Accountants (AICPA), the National Association of Corporate Directors (NACD) and other organizations, can go a long way toward helping ensure that boards of directors and audit committees maintain a clear understanding of cybersecurity risks and the various risk management roles assigned to each of the three lines of defense.
To learn more, download the Protiviti Flash Report here.