To stoke more board inquiry on cyber-security, the Center for Audit Quality has published a primer on questions that any management team and external auditor should be ready to answer.
The CAQ paper serves as a kind of roadmap to board oversight of cyber-security risk management. It is intended to give board members a game plan for how to query senior management and external auditors on cyber risks they are addressing, or should be addressing.
The line of questioning is grouped into four major areas. How are financial statement auditors considering cyber-security risks? What is the role of management and the auditor in terms of cyber-security disclosures? What is management’s approach in managing cyber-security? And what more can boards ask their accountants and auditors to do with respect to cyber-security risk management?
The CAQ even includes a series of questions suggested by the National Association of Corporate Directors covering areas like situational awareness, strategy and operations, insider threats, supply chain and third-party risks, incident response, and interaction with third parties, including regulatory and law enforcement authorities. It also explains various resource boards can leverage to fulfill their oversight duties.
The CAQ says the idea is to arm directors with the information they need to spark the right kind of dialogue. It is meant to bring to light what auditors should be doing with respect to cyber risks as they relate to the financial statement audit as well as the audit of internal control over financial reporting, where it is required. It might also help board members better understand what more they can expect auditors to do, the CAQ says.
The Securities and Exchange Commission recently issued new guidance to prod more disclosure to investors about not only cyber-security risks, but also known breaches. The SEC said the guidance is meant to remind companies of the importance of having policies and procedures to address cyber risks and breaches and to remind them of their disclosure obligations with respect to material information.
Data from Audit Analytics would suggest companies have a gap to fill in terms of providing investors with appropriate disclosures. According to the research firm, only 37 percent of cyber-security breaches affecting public companies from 2011 through 2017 were disclosed in SEC filings.
“Boards of directors face an enormous challenge in overseeing how their companies manage cybersecurity risk,” said Cindy Fornelli, director of the CAQ, in a statement. The CAQ paper is meant to foster dialogue that will help boards address those challenges and establish clear understanding of roles and responsibilities, she said.