Auditors now have a new guide available to them to help examine and report on companies’ efforts to manage their cyber risk, and the profession is touting their ability to contribute to the effort.
The American Institute of Certified Public Accountants has finalized the guide it developed to give auditors a roadmap for scrutinizing and reporting on a company’s cyber-security risk management program and controls. At the same time, the Center for Audit Quality has published a white paper making the case for how the qualities of the audit profession position it well to take on a greater role in helping companies size up and address their cyber risks.
The AICPA says corporate directors and senior management are getting requests from stakeholders asking for timely third-party assessments of companies’ cyber-security risk management programs and their effectiveness. That prompted the AICPA to give the profession a tool for providing voluntary, market-based answers that can facilitate better communication.
The AICPA guide enables auditors to provide a new kind of assurance service that can help companies demonstrate to stakeholders, including customers and vendors, what the company has done to identify and mitigate its cyber risks. The finalization of the guide follows earlier resources provided to the profession to define cyber risk description and control criteria that lay the foundation for a voluntary cyber-security and risk management framework.
The new 263-page guide explains how auditors can plan and perform a cyber risk management exam, and how to arrive at an opinion and prepare a final report. It gives auditors and even companies a common language for describing and reporting on cyber risk to make cyber readiness more transparent across entities, the AICPA says.
“Cybersecurity challenges are stark, and they demand that every sector of the economy play a role,” said Cindy Fornelli, executive director at the CAQ, in a statement. She says she’s confident the profession can leverage its training in taking an independent, objective stand to improve cyber-security information and practices.