If you’ve ever seen a television ad for a prescription drug, chances are you heard a soothing voice urging you to “talk to your doctor” about the treatment in question.
Now, I may not have a silky voice fit for TV, but I do have a similar message for the distinguished readers of the NACD Board Leaders’ Blog: Talk to your auditors about cybersecurity.
The Importance of Communicating About Cybersecurity
Unlike a blockbuster pharmaceutical, there is no magic pill that can solve the big, complex, and evolving issue of cybersecurity. In recent years, however, the key elements of a sound approach to cybersecurity have become clearer, and one of those elements is communication.
Regulators certainly recognize the importance of communication from businesses to investors. In September 2017, Securities and Exchange Commission (SEC) Chair Jay Clayton stated, “I recognize that even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face. That stark reality makes adequate disclosure no less important.”
Accordingly, the SEC remains strongly focused on ensuring the adequacy of public company disclosures of cybersecurity risks and how those risks are managed. Likewise, investor groups, such as the Council of Institutional Investors, have also asked company boards to strive for transparency in reporting efforts around cyber threats.
At companies, communication is no less critical between and among boards of directors, company management, external auditors, and internal auditors. Each group has a role to play, and each must have a grasp of the others’ roles. Ongoing dialogue fosters this understanding.
CPA Firms and Cybersecurity: Bringing Expertise and Values
Before jumping into a dialogue with external auditors, a board member might wonder, “Why talk to an accounting firm about cybersecurity?” It’s a fair question, with two simple answers.
Deep expertise. Not only do certified public accounting (CPA) firms provide independent assurance services in both the financial statement audit and a variety of other subject matters, they have played a role in assisting companies with information security for decades. In fact, four of the leading 13 information security and cybersecurity consultants are public accounting firms.
Strong values: CPAs bring to bear strong values that have defined and guided the profession for over a century. Foremost among these values are independence, objectivity, and skepticism.
Key Topics to Discuss with Your Auditor
So, having established that a conversation with a CPA firm about cybersecurity is a good idea, what is there to talk about with your auditors? The Center for Audit Quality (CAQ) has recently released a cybersecurity tool for board members to guide these conversations. The tool, which leverages resources from NACD and others, covers areas including the following important topics.
How the Financial Statement Auditor Considers Cybersecurity Risk
An essential starting point in the dialogue is to get clarity on the current roles and responsibilities of the financial statement auditor when it comes to cybersecurity. This conversation may include, if applicable, the audit of the effectiveness of a company’s internal control over financial reporting (ICFR).
A talk with the external auditor might involve the following questions.
How does the financial statement auditor’s approach include the consideration of cybersecurity risks when identifying and assessing risks of material misstatement for the financial statement and ICFR audits?
If, as part of understanding how the company uses information technology in the context of its financial statements and ICFR, the financial statement auditor identifies a cybersecurity risk, how does that risk get addressed in the audit process?
Why don’t the financial statement auditor’s procedures on an ICFR audit address all of the company’s enterprise-wide cybersecurity risks and controls?
What impact does a cybersecurity breach have on the financial statement auditor’s assessment of ICFR?
In the event of a cybersecurity breach that results in a potential need for a contingent liability that could be material, what is the audit response of the financial statement auditor?
How CPA Firms Can Assist Boards in Cyber-Risk Oversight
Although cybersecurity risk management practices are typically beyond the scope of a typical financial statement audit, the CPA profession’s commitment to continuous improvement, public service, and increased investor confidence has resulted in a greater focus on this area.
One example is the cybersecurity risk management reporting framework developed by the American Institute of CPAs (AICPA). The voluntary framework, known as SOC for Cybersecurity, enables CPAs to examine and report on management-prepared cybersecurity information, thereby boosting the confidence that stakeholders place on a company’s initiatives.
Here are seven questions to ask CPA firms about these initiatives.
How can the AICPA framework be used as a self-assessment tool to help management or the auditor (via a readiness engagement) identify opportunities for improvement in the company’s cybersecurity risk management program?
How is the AICPA’s cybersecurity risk reporting framework used by auditors as part of an attestation service to evaluate management’s description of its cybersecurity risk management program? How does it determine whether controls within the program were effective at achieving the company’s cybersecurity objectives?
What technical expertise do CPA firms possess that qualify them to perform a readiness engagement or an examination to validate effectiveness of controls specific to a company’s cybersecurity risk management program?
The SOC for Cybersecurity examination cannot prevent or detect a cybersecurity threat or breach. Accordingly, what is the goal of the cybersecurity examination?
What factors should be considered by the company and the CPA firm prior to engaging its financial statement auditors to perform the readiness assessment or examination for entities subject to SEC independence rules?
What is the audit profession doing to help address cybersecurity risks from third party vendors or service providers?
What other types of engagements are available to help board members with cybersecurity risk oversight?
These questions, of course, are just a starting point. I urge you to read the CAQ tool for more ideas on how you can—and here I switch to my smoothest TV-announcer voice—talk to your auditors about cybersecurity.
Cindy Fornelli is a securities lawyer and has served as the Executive Director of the Center for Audit Quality since its establishment in 2007.
As my firm reflected on directors’ expectations that have emerged while working with boards, four areas of emphasis that internal auditors should address rise above the rest. We refer to these as the four Cs: culture, competitiveness, compliance, and cybersecurity. These four areas offer suggestions to directors regarding what they should expect from a risk-focused audit plan.
Here’s a closer look.
A breakdown in risk management, internal control, or compliance is almost always due to a dysfunctional culture. The risks spawned by cultural dysfunction often require a lengthy incubation period before noticeable symptoms appear—and lead to consequences that could result in a reputation-damaging event. Examples include an environment that isolates senior leaders from business realities, allows cost and schedule concerns to override legitimate public safety priorities, empowers falsification of emission reports, or drives unacceptable risk-taking through inappropriate performance incentives. Once a culture of dysfunction inculcates a flawed business environment, it may take a long time for the consequences to emerge—and emerge they will if the dysfunction is left unaddressed.
Given that an organization’s culture is the mix of shared values, attitudes, and patterns of behavior that comprise its particular character, how does a board get its arms around it? An opportunity we see is for directors to look to the chief audit executive as the independent “eyes and ears” of the organization’s culture. Specifically, internal audit can be asked to perform the following functions:
understand the overall working environment;
identify the unwritten norms and rules governing employee interactions and workplace practices;
highlight possible barriers to an effective internal environment and communication flow;
report unacceptable behaviors, decisions and attitudes toward taking and managing risk; and
make recommendations to address identified problems.
Internal audit can also post warning signs to directors that further investigation into cultural concerns is warranted, and can assist in assessing whether the tone in the middle and at the bottom match the leaders’ perception of the tone at the top. This contrast can be quite revealing. It can serve as a powerful reality check to a management team that really wants to listen.
Competitiveness is a priority of every business and poses a significant opportunity for the internal audit function. If, for instance, the company’s practices are inferior relative to best-of-class performers due to underperforming business processes, the internal audit function can improve operating efficiency. In essence, the board should expect internal audit to look beyond traditional compliance areas and financial reporting to help the organization to continuously improve its operations.
Most organizations use some form of a balanced scorecard when monitoring whether they are successfully establishing and sustaining competitive advantage in the marketplace. Key performance indicators address critical areas such as quality, time, cost, and innovation performance. They often include indicators of customer and employee satisfaction. Internal audit can assist with assessing the reliability of these metrics for decision-making. In addition, internal audit can benchmark selected metrics against competitors and best-in-class performers to identify performance gaps that must be corrected in a timely manner.
Traditionally, the internal audit plan ensures that the organization’s compliance with laws, regulations, and internal policies are under control. As the third line of defense in the compliance chain of command, internal audit should ascertain whether:
Front-line operators and functional leaders whose activities have significant compliance implications own the responsibility for identifying and managing compliance risk. These front-line operators are responsible for having effective controls in place to reduce the risk of noncompliance to an acceptable level.
The scope of the independent compliance function, or the second line of defense, is commensurate with the significance of the company’s compliance issues and results in reliable and timely insights to management and primary risk owners.
Internal audit should determine whether a cost-effective monitoring process is in place to address the top compliance risks, and that can assess the overall implementation of the compliance program in light of changes in applicable laws and regulations.
In a recent survey, cybersecurity was cited as the third most critical uncertainty companies are facing as they look forward into 2017. What can internal audit do to alleviate this concern?
Assess whether the company’s processes give adequate attention to high-value information and information systems. Rather than costly, system-wise protection measures resulting in lack of attention to the most important assets, internal audit can assess whether the information technology organization and business leaders agree on what constitutes the company’s crown jewels.
Assist the board and senior management with understanding the threat landscape. The organization’s cybersecurity risks should be assessed based on the company’s crown jewels, the nature of its industry and operations, and its visibility as a potential target. For example: Who are the likely adversaries, and how might they attack? Where are our biggest vulnerabilities? How effective are our current internal controls? Do we conduct penetration testing? If so, what are the results?
Review the organization’s response readiness to a cyber incident. Effective incident response processes are critical to a company’s preparedness to reduce an attack’s impact and proliferation.
By focusing more broadly on the implications of audit findings and thinking beyond the expressed or implied boundaries set by the audit plan, internal audit is better positioned to deliver stronger, more practical and harder-hitting recommendations aligned with what directors are seeking.
Recently, the world’s largest ongoing study of the internal audit profession—the Global Internal Audit Common Body of Knowledge (CBOK)—was completed by the Institute of Internal Auditors (IIA) and Protiviti to ascertain expectations from key stakeholders regarding internal audit performance at organizations of varying operational models and sizes. The study sought input from members of audit committees all over the world about their expectations of the internal auditor’s role in the organization. We think all directors will find the results of the study applicable to their work in the coming year and beyond.
Below are six imperatives for internal auditors from the CBOK study based on feedback from audit committee members.
1. Focus more on strategic risks. According to the CBOK study, two out of three board members believe internal audit should have a more active role in evaluating the organization’s strategic risks. Study respondents indicated that internal audit should focus on strategic risks (as well as operational, financial and compliance risks) during audit projects (86 percent) and periodically evaluate and communicate key risks to the board and executive management (76 percent). Accordingly, chief audit executives (CAE) must focus their function sufficiently on the bigger picture to think more strategically when evaluating risks, proposing risk-based audit plans, and formulating audit findings. By understanding the organization’s business objectives and strategy, and identifying risks that create barriers to the organization achieving its objectives and executing its strategy successfully, the CAE increases internal audit’s value proposition.
2. Think beyond the scope. The call for internal auditors to think strategically leads to another challenge: thinking beyond the scope of the audit plan. Thinking beyond scope means, for example, that the auditor should:
“Connect the dots” when considering enterprisewide implications of the findings of multiple audits, particularly findings with significant business model underpinnings;
Broaden the focus on operations, compliance, and nonfinancial reporting issues; and
Watch for patterns or signs indicating a deteriorating risk culture.
By focusing more broadly on the implications of audit findings, and thinking beyond the expressed or implied boundaries set by the audit plan, internal audit is better positioned to deliver stronger, more practical, and harder-hitting recommendations aligned with what directors are seeking.
3. Add more value through consulting. In today’s era of slower economic growth, a high premium is placed on operational effectiveness and efficiency. The CBOK study respondents picked up on this point, as 73 percent of respondents recommended that internal audit advise on business process improvements. For example, consulting activities by internal audit can result in: strengthening of the lines of defense that make risk management work; more effective collaboration with other independent functions focused on managing risk and compliance; improvements in the control structure, including greater use of automated controls; and suggestions for improving and streamlining compliance. These study findings underscore the benefit of investing in consulting services that will strengthen business processes.
4. Facilitate effective, high-quality communication. Board members generally rate internal audit’s communication at a high level of confidence. For example, a large majority of directors give high scores for the quality (83 percent) and frequency (81 percent) of internal audit’s communication. That’s good news and a great foundation on which to build the board’s satisfaction with the internal auditor’s role.
5. Elevate stature and perspective. Intentionally positioning the CAE and internal audit within the organization is vitally important to their ability to meet elevated expectations. Access and perspective have always been keys to positioning. Access has typically been attained through direct reporting to the audit committee, as well as to the C-suite. But beyond these reporting lines, the study reports that two out of three board members rank the CAE’s participation in board settings beyond the traditional audit committee meetings as an effective strategy for broadening the CAE’s perspective. The board settings that are relevant in this context must be defined by directors to fit the organization’s specific needs. However the goal is defined, increased access to and more frequent interaction with the board broadens the CAE’s perspective of the organization and elevates the stature and visibility of the internal audit function within it. It also enables the CAE to establish relationships with directors, understand their views on addressing competing audit priorities, and earn the right to be viewed as a valued source of insight for the board.
6. Align with stakeholder expectations. In most organizations, not all stakeholders see eye to eye or want the same value from internal audit. This reality creates a significant challenge for CAEs tasked with building consensus among stakeholders. While directors may not expect their company’s CAE to address all of the above imperatives, they should initially and periodically assess whether internal audit is doing what matters based on previously-established imperatives. The CAE bears the brunt of the responsibility for addressing this challenge by articulating the value that a top-down, risk-based audit plan contributes to each facet of the organization, and by providing an assurance and advisory perspective that the board, executive management, and other stakeholders can understand.
Following are some suggested questions that directors may consider based on the risks inherent in the entity’s operations.
Does the board periodically evaluate the scope of internal audit’s activities and discuss whether modifications are needed in view of changes in company operations and the business environment? Is the board getting the insights it needs?
Does internal audit provide adequate attention to strategic risk issues, including barriers to the organization’s execution of the strategy?
Does internal audit have an appropriate mix of consulting and assurance activities?
Does internal audit have the stature and access necessary to maximize its effectiveness?
Jim DeLoach is managing director with Protiviti, a global consulting firm.