CAQ: Audit’s role in cyber-security exams

Public company auditors are starting to suggest companies voluntarily submit to an independent cyber-security examination separate from the existing financial statement audit.

In a chapter of a 236-page paper by the Internet Security Alliance prepared for its recent conference, the Center for Audit Quality says the American Institute of Certified Public Accountants is developing a new process for examining and reporting on a company’s cyber-security risk management. It contemplates an independent cyber-security report being produced by either a company’s current external auditor or another audit firm.

Much the way financial statements and the related audit convey the financial state of a company, a cyber-security report would give users information on the state of a company’s cyber risk management program. It would describe the entity’s risk management program, providing management’s assertion about whether it is fairly presented and whether the controls are suitably designed and operating effectively. The report also would include an audit opinion on the fairness of management’s presentation and the suitability and operating effectiveness of controls.

Such an approach would get companies moving beyond the often reactive, piecemeal approach to cyber-security that is more common today, the CAQ says. “A comprehensive approach that is risk based and driven from the internal control structure of the company and that can be delivered with independence and objectivity offers a new approach for management and boards to bring to bear on cyber-security risk,” the CAQ writes.

In preparation for its recent cyber-security conference, the ISA produced a collaborative publication bringing together a range of perspectives and recommendations from various industries and professional groups in both the private sector and public policy organizations. The publication is meant to try to impart some wisdom on the incoming presidential administration.

The CAQ’s chapter says an independent cyber-security examination could be aligned with the 17 principles of COSO’s Internal Control -- Integrated Framework and mapped to the National Institute of Standards and Technology Cybersecurity Framework as well as the International Organization for Standardization Information Security Management Framework. That would allow companies to choose from among multiple cyber-security internal control frameworks for their risk management approaches.

Cyber-security is a top priority for the CAQ given its prominence for investors and markets, said Cindy Fornelli, executive director, in a statement. "Auditors can expand their role in accordance with time-tested assurance frameworks, thus bringing the profession's many strengths to bear on today's cyber-security challenges."