May 8, 2018
May 8, 2018
If you’ve ever seen a television ad for a prescription drug, chances are you heard a soothing voice urging you to “talk to your doctor” about the treatment in question.
Now, I may not have a silky voice fit for TV, but I do have a similar message for the distinguished readers of the NACD Board Leaders’ Blog: Talk to your auditors about cybersecurity.
The Importance of Communicating About Cybersecurity
Unlike a blockbuster pharmaceutical, there is no magic pill that can solve the big, complex, and evolving issue of cybersecurity. In recent years, however, the key elements of a sound approach to cybersecurity have become clearer, and one of those elements is communication.
Regulators certainly recognize the importance of communication from businesses to investors. In September 2017, Securities and Exchange Commission (SEC) Chair Jay Clayton stated, “I recognize that even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face. That stark reality makes adequate disclosure no less important.”
Accordingly, the SEC remains strongly focused on ensuring the adequacy of public company disclosures of cybersecurity risks and how those risks are managed. Likewise, investor groups, such as the Council of Institutional Investors, have also asked company boards to strive for transparency in reporting efforts around cyber threats.
At companies, communication is no less critical between and among boards of directors, company management, external auditors, and internal auditors. Each group has a role to play, and each must have a grasp of the others’ roles. Ongoing dialogue fosters this understanding.
CPA Firms and Cybersecurity: Bringing Expertise and Values
Before jumping into a dialogue with external auditors, a board member might wonder, “Why talk to an accounting firm about cybersecurity?” It’s a fair question, with two simple answers.
Key Topics to Discuss with Your Auditor
So, having established that a conversation with a CPA firm about cybersecurity is a good idea, what is there to talk about with your auditors? The Center for Audit Quality (CAQ) has recently released a cybersecurity tool for board members to guide these conversations. The tool, which leverages resources from NACD and others, covers areas including the following important topics.
How the Financial Statement Auditor Considers Cybersecurity Risk
An essential starting point in the dialogue is to get clarity on the current roles and responsibilities of the financial statement auditor when it comes to cybersecurity. This conversation may include, if applicable, the audit of the effectiveness of a company’s internal control over financial reporting (ICFR).
A talk with the external auditor might involve the following questions.
How CPA Firms Can Assist Boards in Cyber-Risk Oversight
Although cybersecurity risk management practices are typically beyond the scope of a typical financial statement audit, the CPA profession’s commitment to continuous improvement, public service, and increased investor confidence has resulted in a greater focus on this area.
One example is the cybersecurity risk management reporting framework developed by the American Institute of CPAs (AICPA). The voluntary framework, known as SOC for Cybersecurity, enables CPAs to examine and report on management-prepared cybersecurity information, thereby boosting the confidence that stakeholders place on a company’s initiatives.
Here are seven questions to ask CPA firms about these initiatives.
These questions, of course, are just a starting point. I urge you to read the CAQ tool for more ideas on how you can—and here I switch to my smoothest TV-announcer voice—talk to your auditors about cybersecurity.
Cindy Fornelli is a securities lawyer and has served as the Executive Director of the Center for Audit Quality since its establishment in 2007.