MORE AUDITORS LOOK AT CYBERSECURITY

News from RWHSG

Posted by Kim Chen on June 30th, 2018

A PCAOB official said more audit engagement teams today are including cybersecurity when they do a risk assessment of a client. The auditor’s increased scrutiny about whether cybersecurity breaches have affected financial reporting or internal controls comes as the frequency and severity of cyberattacks have increased.
PCAOB inspectors are seeing an increasing number of audit engagement teams focused on matters related to cybersecurity risk, a board official said during a meeting of the board’s Standing Advisory Group on June 5, 2018, in Washington.
“The engagement teams are out there trying to identify risk to be able to determine what audit procedures they need to follow”, said William Powers, deputy director for technology in the PCAOB’s Division of Registration and Inspections. “We are seeing more and more that those procedures are including the risk of cybersecurity or, on occasion, the risk that results from a cybersecurity incident having occurred during the audit year.”
The PCAOB put cybersecurity as one of the areas of focus for inspection about three years ago, and Powers said the staff instituted a program to speak with engagement teams of audit clients who have experienced a breach into their computer systems to find out what the auditors were doing and what their firms were doing to support the audit teams.
“Many of the firms have provided varying levels of guidance, specifically to the engagement teams, both in terms of how do you go about assessing risk when you start your audit as well as what do you do when you uncover the fact that a cybersecurity incident has occurred during the course of your audit or during the period under audit”, Powers said, while summarizing some key observations from inspections in the past three years. “Many of the firms are actually factoring cybersecurity issues into their risk assessment at this point in time, and there is a real focus on developing real understanding about cybersecurity incidents.”
The PCAOB’s inspections staff has also found that audit firms have been retaining audit evidence about what their clients have been doing to understand the breaches of their computer systems.
Meanwhile, Powers said most companies today view cybersecurity as a business problem, not just as an information technology issue.
“Consequently, those risks, associated with those business issues, can be significantly larger than just the risk associated with IT”, Powers said. “Board committees have been extremely interested in hearing what the auditors have to say about cybersecurity and have been vocal about what their expectations are relative to what the auditors are doing on cybersecurity.”
In addition, Powers said companies and their auditors have to deal with the costs associated with cybersecurity breaches, which may not always be apparent.
“Cost is like an iceberg”, he said. “You realize 85 percent of the iceberg is under the sea, and you can’t really see it. Those costs are the costs that companies are wrestling with, and certainly costs that auditors are wrestling with, when they look at financial statement presentations.”
While the board has yet to find a material misstatement on a public company’s financial statements as a result of a cybersecurity breach, there is a risk that future cyberattacks may affect financial reporting. Powers said the PCAOB staff is expanding its inspection program this year to explore what auditors are doing to protect clients’ data and stakeholder data.
“We will be looking for their cybersecurity strategies, what is their governance, basically managing and overseeing that strategy. How do they identify and prioritize risks? What kind of controls do they establish? But equally as important, how do they monitor that those controls are operating effectively?” Powers said. “We want to understand how do they respond to cybersecurity incidents, and how they basically establish and maintain and conduct timely communications internally within the organization but also externally with regulators and other outside organizations.”
The PCAOB does not inspect all audits but tends to inspect audit firms based on a risk assessment of areas where deficiencies are likely to occur.