If you’ve ever seen a television ad for a prescription drug, chances are you heard a soothing voice urging you to “talk to your doctor” about the treatment in question.
Now, I may not have a silky voice fit for TV, but I do have a similar message for the distinguished readers of the NACD Board Leaders’ Blog: Talk to your auditors about cybersecurity.
The Importance of Communicating About Cybersecurity
Unlike a blockbuster pharmaceutical, there is no magic pill that can solve the big, complex, and evolving issue of cybersecurity. In recent years, however, the key elements of a sound approach to cybersecurity have become clearer, and one of those elements is communication.
Regulators certainly recognize the importance of communication from businesses to investors. In September 2017, Securities and Exchange Commission (SEC) Chair Jay Clayton stated, “I recognize that even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face. That stark reality makes adequate disclosure no less important.”
Accordingly, the SEC remains strongly focused on ensuring the adequacy of public company disclosures of cybersecurity risks and how those risks are managed. Likewise, investor groups, such as the Council of Institutional Investors, have also asked company boards to strive for transparency in reporting efforts around cyber threats.
At companies, communication is no less critical between and among boards of directors, company management, external auditors, and internal auditors. Each group has a role to play, and each must have a grasp of the others’ roles. Ongoing dialogue fosters this understanding.
CPA Firms and Cybersecurity: Bringing Expertise and Values
Before jumping into a dialogue with external auditors, a board member might wonder, “Why talk to an accounting firm about cybersecurity?” It’s a fair question, with two simple answers.
Deep expertise. Not only do certified public accounting (CPA) firms provide independent assurance services in both the financial statement audit and a variety of other subject matters, they have played a role in assisting companies with information security for decades. In fact, four of the leading 13 information security and cybersecurity consultants are public accounting firms.
Strong values: CPAs bring to bear strong values that have defined and guided the profession for over a century. Foremost among these values are independence, objectivity, and skepticism.
Key Topics to Discuss with Your Auditor
So, having established that a conversation with a CPA firm about cybersecurity is a good idea, what is there to talk about with your auditors? The Center for Audit Quality (CAQ) has recently released a cybersecurity tool for board members to guide these conversations. The tool, which leverages resources from NACD and others, covers areas including the following important topics.
How the Financial Statement Auditor Considers Cybersecurity Risk
An essential starting point in the dialogue is to get clarity on the current roles and responsibilities of the financial statement auditor when it comes to cybersecurity. This conversation may include, if applicable, the audit of the effectiveness of a company’s internal control over financial reporting (ICFR).
A talk with the external auditor might involve the following questions.
How does the financial statement auditor’s approach include the consideration of cybersecurity risks when identifying and assessing risks of material misstatement for the financial statement and ICFR audits?
If, as part of understanding how the company uses information technology in the context of its financial statements and ICFR, the financial statement auditor identifies a cybersecurity risk, how does that risk get addressed in the audit process?
Why don’t the financial statement auditor’s procedures on an ICFR audit address all of the company’s enterprise-wide cybersecurity risks and controls?
What impact does a cybersecurity breach have on the financial statement auditor’s assessment of ICFR?
In the event of a cybersecurity breach that results in a potential need for a contingent liability that could be material, what is the audit response of the financial statement auditor?
How CPA Firms Can Assist Boards in Cyber-Risk Oversight
Although cybersecurity risk management practices are typically beyond the scope of a typical financial statement audit, the CPA profession’s commitment to continuous improvement, public service, and increased investor confidence has resulted in a greater focus on this area.
One example is the cybersecurity risk management reporting framework developed by the American Institute of CPAs (AICPA). The voluntary framework, known as SOC for Cybersecurity, enables CPAs to examine and report on management-prepared cybersecurity information, thereby boosting the confidence that stakeholders place on a company’s initiatives.
Here are seven questions to ask CPA firms about these initiatives.
How can the AICPA framework be used as a self-assessment tool to help management or the auditor (via a readiness engagement) identify opportunities for improvement in the company’s cybersecurity risk management program?
How is the AICPA’s cybersecurity risk reporting framework used by auditors as part of an attestation service to evaluate management’s description of its cybersecurity risk management program? How does it determine whether controls within the program were effective at achieving the company’s cybersecurity objectives?
What technical expertise do CPA firms possess that qualify them to perform a readiness engagement or an examination to validate effectiveness of controls specific to a company’s cybersecurity risk management program?
The SOC for Cybersecurity examination cannot prevent or detect a cybersecurity threat or breach. Accordingly, what is the goal of the cybersecurity examination?
What factors should be considered by the company and the CPA firm prior to engaging its financial statement auditors to perform the readiness assessment or examination for entities subject to SEC independence rules?
What is the audit profession doing to help address cybersecurity risks from third party vendors or service providers?
What other types of engagements are available to help board members with cybersecurity risk oversight?
These questions, of course, are just a starting point. I urge you to read the CAQ tool for more ideas on how you can—and here I switch to my smoothest TV-announcer voice—talk to your auditors about cybersecurity.
Cindy Fornelli is a securities lawyer and has served as the Executive Director of the Center for Audit Quality since its establishment in 2007.
Federal deregulation efforts are taking place while at the same time we are witnessing heightened expectations of governance accountability. The rapid convergence of these two trends is creating a seminal challenge for the audit and compliance committee of many corporate boards.
At the surface, it is hard to spot any corporate negatives to the administration’s deregulation initiatives. Indeed, boards may well embrace the expectation of relaxed regulations and more limited civil and criminal enforcement activity.
Yet, there is a legitimate concern that executives and line managers who are ordinarily prone to “push the edge of the envelope,” may interpret deregulation as a “green light” to pursue business strategies that may be legally problematic. This attitude could threaten the authority and influence of the committee’s compliance agenda.
This relaxing of executive attitudes towards legal boundaries would come at the worst possible time, with emerging expectations of fiduciary obligations heading in exactly the opposite direction. Rather than relaxing expectations of compliance program oversight, these trends (reflected in court decisions, regulatory actions, and academic commentary) would hold directors more directly accountable for corporate compliance failures. “Where was the board when all this was going on?” Now especially, the audit and compliance committee is well advised to be pro-active in asserting its oversight powers.
These converging initiatives are highlighted by several recent developments.
The “Brand Memorandum” from the Department of Justice (DOJ) is the most recent compliance extension of administration-driven deregulation. The specific focus of the Brand Memorandum is to (i) confirm that the DOJ may not use its enforcement authority to effectively convert agency guidance into binding rules; and (ii) prohibit DOJ attorneys from using noncompliance with guidance documents as a basis for proving legal violations in civil enforcement actions, including but not limited to actions brought under the False Claims Act.
Examples of such guidance include documents such as preamble commentary, manuals, bulletins, fraud alerts, policy guidance, advisory opinions, and national and local coverage determinations. Often times, such guidance is woven into corporate compliance programs and risk guidelines, as may be relevant to a particular industry sector.
The Brand Memorandum provides defendants with a valuable tool in defending FCA actions—whether brought by the DOJ or relator’s counsel—that attempt to use alleged noncompliance with agency sub-regulatory guidance as support for a False Claims Act theory. It does not, however, suggest any relaxation of existing DOJ enforcement practices.
The pending release of long-anticipated revisions to the controversial Yates Memorandum would likely add to the audit and compliance committee’s burden. According to Deputy Attorney General Rod Rosenstein, the changes to Yates will be “modest,” and are intended to address possible ambiguities and potentially inconsistent applications of policy.
The main idea of the Yates Memorandum, holding individuals accountable for corporate wrongdoing where appropriate, is expected to be kept in place. But the corporate compliance concern is the potential for organizational misperceptions that because of the Brand Memorandum, “Yates has been repealed,” and that individual accountability is no longer a focus of government enforcement policies.
Board Accountability Developments
The Delaware Supreme Court requires a very high burden of proof to sustain a claim for breach of the director’s Caremark compliance program oversight duty. However, leading governance observers acknowledge the potential that, given harsh fact patterns (e.g., material harm to consumers or shareholders), courts may less strictly apply the Caremark standard in the future. A recent decision of the Federal District Court in Northern California, involving a derivative action against the officers and directors of a financial services firm for breach of fiduciary duty, lends credence to this concern.
There, the court denied a motion to dismiss filed by the defendant officers and directors. The court was sufficiently persuaded by the totality of red flags of which the board was allegedly aware, and the fact that many of them were presented in the form of direct communications and reports to the board. The court also appeared persuaded by the fact that many of the defendant officers and directors also served on committees with direct oversight over the alleged conduct that was the source of the losses cited in the complaint. Thus, the case continues.
The Federal Reserve Bank’s February enforcement action against Wells Fargo & Co., with its concurrent impact on officers and directors, is the most recent indication that regulatory agencies may be willing to hold directors personally accountable for serious corporate compliance and conduct failures occurring during the period of their board service. The Fed clearly sought to hold governance responsible for the weakness of the company’s risk management and legal compliance programs. It is conceivable that this enforcement action may serve as a model for other regulatory agencies confronting issues associated with corporate compliance breakdowns.
More generally notable are efforts such as the New York City Comptroller’s Boardroom Accountability Project 2.0, which is intended to improve the quality of boards of directors.
A Possible Approach
Boards may need to take proactive steps in order to counter the consequences of the convergence of deregulation and accountability. It may be important to send a clear message throughout the organization that corporate policies on legal compliance, corporate conduct, and legal risk evaluation of business initiatives will not change—and may even be strengthened. This action would build upon the elements of director accountability increasingly identified by courts and regulatory entities; i.e., that compliance committees should be particularly engaged in monitoring the legal risks of business strategies.
The committee may thus choose to increase its focus on, among other steps, ensuring that (i) the business strategies approved by the board are consistent with the risk management capabilities of the company; (ii) the company’s risk management and legal compliance programs are sufficiently robust to prevent improper behavior; (iii) the board has sufficient information to carry out its responsibilities; (iv) robust inquiry and demand for further information is made about serious compliance issues that come to the board’s attention; and (iv) corporate culture recognizes the importance of adherence to internal policies, and awareness of regulatory agency guidance documents.
Michael W. Peregrine, a partner at the law firm of McDermott Will & Emery, advises corporations, officers, and directors on matters relating to corporate governance, fiduciary duties, and officer and director liability issues. His views do not necessarily reflect the views of the firm or its clients.Mr. Peregrine thanks his partner, Tony Maida, for his contributions to this post.
Scott Zimmerman, Phillip Austin, Marty Baumann, Dan Sunderland, and the author discuss “Challenges Facing the Audit Profession” at the AAA’s 2018 Auditing Section Midyear Meeting.
“The new audit report is a great opportunity for the profession.” So spoke Marty Baumann, chief auditor and director of professional standards at the US Public Company Accounting Oversight Board (PCAOB), at a panel during the American Accounting Association (AAA) Auditing Section’s midyear meeting this past January.
I agree wholeheartedly with Marty.
Updating the auditor’s reporting model in the United States represents an extraordinary opportunity, as it has in the United Kingdom and elsewhere. Yet as we discussed on that January panel, with opportunities come challenges—and I have put together some strategies for addressing those challenges.
To understand the opportunities and challenges associated with updating the auditor’s report, it helps to start with the basic elements of the new PCAOB auditing standard.
The standard features a phased implementation approach. The first phase—which affects PCAOB audits of companies with fiscal years ending on or after December 15, 2017—includes disclosing auditor tenure and other changes to the form and content of the auditor’s report.
The second phase of implementation requires communication of critical audit matters (CAMs). The standard defines a CAM as any matter arising from the audit of the financial statements that meets all the following criteria:
was communicated or required to be communicated to the audit committee;
relates to accounts or disclosures that are material to the financial statements; and
involved especially challenging, subjective, or complex auditor judgment.
The effective dates for CAMs to be included in the auditor’s report are (1) fiscal years ending on or after June 30, 2019 for audits of large accelerated filers and (2) fiscal years ending on or after December 15, 2020 for audits of all other companies to which the requirements apply.
What opportunities will these changes bring? Conversation at the AAA panel covered a range of possibilities.
Possible insights for investors. Scott Zimmerman, a partner at EY and its Americas Assurance Innovation division said that each audit should result in “some type of meaningful insight.” Baumann suggested that such insights can “add to the total mix of information that investor use in making decisions,” and offered his view that the audit report could, for some investors, even become “the first place to go in a very big 10-K with a complex set of financial information.”
Differentiation via technology. As a digital expert, EY’s Zimmerman knows how technology can be a competitive differentiator for audit firms, particularly as use of data analytics and artificial intelligence grows. He noted that EY, like many firms across the profession, is examining how technology can be leveraged in the context of the CAMs that will be communicated in an expanded auditor’s report.
Future academic research. As each audit generates insights, academics can sift through the data to track broader patterns in financial reporting. Baumann noted that researchers might investigate possible correlations between CAMs and stock prices, for example, or financial disclosures.
While acknowledging the excitement around these and other opportunities, panelists also recognized challenges.
Boilerplate potential. In December 2017, US Securities and Exchange Commision Chair Jay Clayton quipped that it would be a “bummer” if CAMs devolved into boilerplate language of little or no use to investors. At the AAA meeting, panelist Dan Sunderland, chief auditor and national leader for Audit and Assurance Services at Deloitte & Touche LLP, noted that the nature of the disclosure in CAMs would be the “keys to the kingdom”—and that auditors are well aware of the importance of avoiding boilerplate.
Interference with audit committee communication. Panelist Phillip Austin, the national managing partner of Auditing at BDO USA, noted that, with the new disclosure of CAMs, some company executives might be tempted to “manage” communication between the auditors and the audit committee.
Disclosure tension. In the discussion, panelists contemplated scenarios where auditors may disclose in CAMs information that management is not obliged to disclose. “That’s going to be tricky,” said Austin. Baumann indicated this would be an area that the PCAOB would track carefully.
Strategies for Success
To make the most of the opportunities presented by the new report, panelists discussed strategies to address the challenges of implementing the new reporting models. Audit committee members should become familiar with the following strategies for success.
Maintain open dialogue between auditors and audit committees. As with many items related to the financial reporting process, strong and ongoing communication will be critical around the new auditor’s report. Baumann cited the importance of dialogue around challenging issues, such as revenue recognition or significant and unusual transactions that a company might have, that could be critical audit matters. To foster this dialogue, the Center for Audit Quality (CAQ) has produced a tool for audit committees regarding changes to the auditor’s report.
Pilot-testing. For auditors, “the critical thing is to try to pilot things in the short run,” said Sunderland. This pilot-testing should involve auditors talking through the process with the audit committee, he added.
Pay close attention to the post-implementation review. For regulators, it will be vital to monitor implementation of the standard, particularly given risks such as creeping boilerplate. Marty Baumann voiced the PCAOB’s strong commitment to robust post-implementation review, starting with the implementation of CAMs.
What challenges, opportunities, and necessities do you see regarding updating the auditor’s report? I welcome your thoughts in the comments. And be sure to visit the CAQ’s resource page on auditor reporting for more information.
Cindy Fornelli is a securities lawyer and has served as the Executive Director of the Center for Audit Quality since its establishment in 2007.