Tag Archive: External Audit

Talk to Your Auditors About Cybersecurity

Published by

Cindy Fornelli

If you’ve ever seen a television ad for a prescription drug, chances are you heard a soothing voice urging you to “talk to your doctor” about the treatment in question.

Now, I may not have a silky voice fit for TV, but I do have a similar message for the distinguished readers of the NACD Board Leaders’ Blog: Talk to your auditors about cybersecurity.

The Importance of Communicating About Cybersecurity

Unlike a blockbuster pharmaceutical, there is no magic pill that can solve the big, complex, and evolving issue of cybersecurity. In recent years, however, the key elements of a sound approach to cybersecurity have become clearer, and one of those elements is communication.

Regulators certainly recognize the importance of communication from businesses to investors. In September 2017, Securities and Exchange Commission (SEC) Chair Jay Clayton stated, “I recognize that even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face. That stark reality makes adequate disclosure no less important.”

Accordingly, the SEC remains strongly focused on ensuring the adequacy of public company disclosures of cybersecurity risks and how those risks are managed. Likewise, investor groups, such as the Council of Institutional Investors, have also asked company boards to strive for transparency in reporting efforts around cyber threats.

At companies, communication is no less critical between and among boards of directors, company management, external auditors, and internal auditors. Each group has a role to play, and each must have a grasp of the others’ roles. Ongoing dialogue fosters this understanding.

CPA Firms and Cybersecurity: Bringing Expertise and Values

Before jumping into a dialogue with external auditors, a board member might wonder, “Why talk to an accounting firm about cybersecurity?” It’s a fair question, with two simple answers.

  • Deep expertise. Not only do certified public accounting (CPA) firms provide independent assurance services in both the financial statement audit and a variety of other subject matters, they have played a role in assisting companies with information security for decades. In fact, four of the leading 13 information security and cybersecurity consultants are public accounting firms.
  • Strong values: CPAs bring to bear strong values that have defined and guided the profession for over a century. Foremost among these values are independence, objectivity, and skepticism.

Key Topics to Discuss with Your Auditor

So, having established that a conversation with a CPA firm about cybersecurity is a good idea, what is there to talk about with your auditors? The Center for Audit Quality (CAQ) has recently released a cybersecurity tool for board members to guide these conversations. The tool, which leverages resources from NACD and others, covers areas including the following important topics.

How the Financial Statement Auditor Considers Cybersecurity Risk

An essential starting point in the dialogue is to get clarity on the current roles and responsibilities of the financial statement auditor when it comes to cybersecurity. This conversation may include, if applicable, the audit of the effectiveness of a company’s internal control over financial reporting (ICFR).

A talk with the external auditor might involve the following questions.

  1. How does the financial statement auditor’s approach include the consideration of cybersecurity risks when identifying and assessing risks of material misstatement for the financial statement and ICFR audits?
  2. If, as part of understanding how the company uses information technology in the context of its financial statements and ICFR, the financial statement auditor identifies a cybersecurity risk, how does that risk get addressed in the audit process?
  3. Why don’t the financial statement auditor’s procedures on an ICFR audit address all of the company’s enterprise-wide cybersecurity risks and controls?
  4. What impact does a cybersecurity breach have on the financial statement auditor’s assessment of ICFR?
  5. In the event of a cybersecurity breach that results in a potential need for a contingent liability that could be material, what is the audit response of the financial statement auditor?

How CPA Firms Can Assist Boards in Cyber-Risk Oversight

Although cybersecurity risk management practices are typically beyond the scope of a typical financial statement audit, the CPA profession’s commitment to continuous improvement, public service, and increased investor confidence has resulted in a greater focus on this area.

One example is the cybersecurity risk management reporting framework developed by the American Institute of CPAs (AICPA). The voluntary framework, known as SOC for Cybersecurity, enables CPAs to examine and report on management-prepared cybersecurity information, thereby boosting the confidence that stakeholders place on a company’s initiatives.

Here are seven questions to ask CPA firms about these initiatives.

  1. How can the AICPA framework be used as a self-assessment tool to help management or the auditor (via a readiness engagement) identify opportunities for improvement in the company’s cybersecurity risk management program?
  2. How is the AICPA’s cybersecurity risk reporting framework used by auditors as part of an attestation service to evaluate management’s description of its cybersecurity risk management program? How does it determine whether controls within the program were effective at achieving the company’s cybersecurity objectives?
  3. What technical expertise do CPA firms possess that qualify them to perform a readiness engagement or an examination to validate effectiveness of controls specific to a company’s cybersecurity risk management program?
  4. The SOC for Cybersecurity examination cannot prevent or detect a cybersecurity threat or breach. Accordingly, what is the goal of the cybersecurity examination?
  5. What factors should be considered by the company and the CPA firm prior to engaging its financial statement auditors to perform the readiness assessment or examination for entities subject to SEC independence rules?
  6. What is the audit profession doing to help address cybersecurity risks from third party vendors or service providers?
  7. What other types of engagements are available to help board members with cybersecurity risk oversight?

These questions, of course, are just a starting point. I urge you to read the CAQ tool for more ideas on how you can—and here I switch to my smoothest TV-announcer voice—talk to your auditors about cybersecurity.

Cindy Fornelli is a securities lawyer and has served as the Executive Director of the Center for Audit Quality since its establishment in 2007.

Skepticism Lessons Learned

Published by

I’ve always been a trusting soul. One of my earliest lessons involved me diligently removing debris from a stream for someone in exchange for the official deed to the stream. The problem was, he didn’t own it.

I did not possess the skill of skepticism—defined in Audit Standard (AU) 316 as “an attitude that includes a questioning mind and a critical assessment of … evidence.” If I had, I would have observed that the shiny gold seal I was given was the kind you can buy at Woolworth’s 5 &10, and that the stream ran not only behind the deedor’s property but contiguous ones as well.

Yet there’s hope for us all. On October 1, NACD launched a unique new webinar series on Skepticism as part of an ongoing Anti-Fraud Collaboration with the Center for Audit Quality (CAQ), Financial Executives International (FEI), and The Institute for Internal Auditors (IIA). Along with many at NACD, I was involved in this exciting project, and had a chance to review the upcoming episodes.

“Skepticism” relates to a search for the truth. The term comes from the Greek skeptikos used some 2,300 years ago by disciples of the philosopher Pyrrhos. The verb skeptesthai means “to reflect, look, view.” The earliest self-declared skeptics emphasized the importance of the senses in confirming reality. Over time, the word’s meaning expanded to include the notion of reasonable doubt. Today, the “skeptic” is perceived as a doubter—someone who may trust, but must always verify.

It’s an attitude we all need. And perhaps no one knows this better than series moderator Michele J. Hooper, president and CEO of The Directors’ Council, and board member of NACD and CAQ’s governing board. Through questions and comments based on her considerable experience on a variety of public company boards she brings out the best in the six-part series, outlined as follows:

  1. A brief introduction.
  2. The Etiquette and Ethics of Skepticism with Mary M. Mitchell, president, The Mitchell Group, and Bill White, professor at Northwestern University and experienced director.
  3. Professional Skepticism and the External Auditor with Cindy Fornelli, executive director, CAQ; and Greg Weaver, CEO and chairman, Deloitte & Touche.
  4. Skepticism and the Audit Committee with Marty Coyne, lead director and audit committee member, Akamai Technologies; and Ken Daly, president and CEO, NACD.
  5. Skepticism and the Financial Executive with Marie Hollein, president and CEO, FEI; and Greg Kabureck, chief accounting officer, Xerox Corporation.
  6. Skepticism and the Internal Auditor with Richard Chambers, president and CEO, The IIA; and Paul Sobel, vice president and chief audit executive, Georgia Pacific.

In addition to these webinars, NACD will release a white paper with in-depth background and additional resources on skepticism in December.

Why skepticism? It’s a great way to break the fraud triangle—composed of incentive, opportunity, and rationalization—which can cost businesses so dearly. Financial reporting fraud, the focus of this series, is responsible for a significant percentage of the $3.5 trillion that businesses lose to fraud every year, according to a recent study by the Association for Certified Fraud Examiners.

The value of the labor I devoted to cleaning out that stream for a fake deed may not be worth much in dollars, but whenever trust is violated the cost is too high.

Fraud is unfortunately a fact of life; therefore skepticism is a skill we all need.