The Protiviti View  | Insights From Our Experts on Trends, Risks and Opportunities

The Protiviti View

Insights From Our Experts on Trends, Risks and Opportunities
Search

POST

2 mins to read

CAQ’s New Cybersecurity Risk Management Oversight Tool: A Protiviti Analysis

Scott Laliberte

Managing Director

Views
Understand the GDPR legitimate interest vs. consent dilemma
Larger Font
2 minutes to read

Cybersecurity is among the most critical risks that organizations need to address today. Management and protection of data, availability of critical systems and infrastructure, and the risk of cybersecurity threats are among the most pressing concerns for executive teams and boards of directors around the world.

Earlier this year, the U.S. Securities and Exchange Commission (SEC) published interpretive guidance to assist public companies in preparing cybersecurity risk and incident disclosures, which we covered in a March blog post. Now the Center for Audit Quality (CAQ) has created a tool to assist board members in cybersecurity risk oversight. Protiviti published a Flash Report analyzing the new tool and how it might best be applied by board members as they discuss cybersecurity risks and disclosures with management and CPA firms.

The tool, which can be downloaded from the CAQ website, is a collection of resources and questions for board members to ask of management and the financial statement auditor. Questions are organized under four key areas:

  • Understanding how financial statement auditors consider cybersecurity risk
  • Understanding the role of management and responsibilities of the financial statement auditor
  • Understanding management’s cybersecurity risk management approach
  • Understanding how CPA firms can serve as partners in oversight

Cybersecurity risk issues are numerous, complex and ever-changing, and they warrant a heightened level of awareness and discussion among stakeholders. The CAQ’s tool is designed to help start, focus and sustain that discussion.

Dialogue sparked by these questions can help clarify roles and responsibilities – from management as the first line of defense to the assurance and advisory roles of internal audit and the risks of overreliance on external auditors of financial statements as the sole source of assurance.

As the CAQ notes, a company’s overall IT environment includes systems, networks and related data that address not only financial reporting but also operational and compliance needs. This requires a view of cybersecurity risk far broader than just financial reporting.

It is important to have as inclusive a view of risk as possible. Protiviti recommends a formal assessment of both business and technology risks to provide a holistic view of all critical risks and where cybersecurity fits into that overall picture. It is also helpful to conduct an independent review of the completeness and effectiveness of the controls the organization puts in place to manage identified risks.

The pace of technological change, coupled with the rate at which organizations are applying technology throughout the organization, has made regular, or even real-time, risk assessments an essential part of the risk management process. In defining expectations for management in the cyber space and establishing clear accountabilities for results, the board should seek multiple sources of input.

The CAQ’s new tool is not meant to provide an all-inclusive list of questions, nor is it intended to serve as a checklist; rather, it provides examples of the types of questions board members may ask of management and the financial statement auditor. Nevertheless, the discussions these questions are likely to spark, combined with the cybersecurity-related resources compiled from the CAQ, the American Institute of Certified Public Accountants (AICPA), the National Association of Corporate Directors (NACD) and other organizations, can go a long way toward helping ensure that boards of directors and audit committees maintain a clear understanding of cybersecurity risks and the various risk management roles assigned to each of the three lines of defense.

To learn more, download the Protiviti Flash Report here.

 

Was this post helpful to you?

Thanks for your feedback!

Subscribe to The Protiviti View Blog

To face the future confidently, you need to be equipped with valuable insights that align with your interests and business goals.

In this Article

Find a similar post by topics

Authors

Scott Laliberte

By Scott Laliberte

Verified Expert at Protiviti

Scott is the Global Leader of Protiviti’s Emerging Technology Group. Scott and his team enable clients to leverage...

EXPERTISE

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

While the return-to-office decision is often framed in a straightforward manner — we believe collaboration, productivity and innovation flourish more...

Article

What is it about

What you need to know: Aging systems, data silos, regulatory pressures and talent gaps complicate enterprise transformation for public utilities....

Article

What is it about

The top priority for healthcare internal auditors this year is cybersecurity, according to a survey by Protiviti and the Association...

Search