The accounting profession is putting the finishing touches on a new, voluntary audit that will help companies better assess how well they’ve prepared themselves to withstand and respond to a cyber attack.
The American Institute of Certified Public Accountants is expecting this spring to finalize new guidance that will give auditors the necessary criteria to perform a deep dive into a company’s cyber-security risk management to help them spot where they may have vulnerabilities. “It’s an attestation service that can be done to test the design and operating effectiveness of a company’s cyber-security risk management controls,” says Sandy Herrygers, a partner at Deloitte & Touche.
The AICPA issued exposure drafts of the proposed guidance and examination criteria in late 2016 to seek plenty of public feedback on whether the approach would be effective in helping boards of directors and senior management to assess and remediate their approach to cyber resilience. Auditors have not traditionally had a role in auditing a company’s cyber-security risk management, except to the extent it is a factor in financial statement assertions and internal control over financial reporting. The new exam would arm auditors with the tools and criteria to take a deeper look at a company’s cyber-security measures.
Audit firms are well suited to perform such exams because they also house plenty of cyber-security consulting operations that assist with technology issues, says Herrygers. The AICPA has long provided guidance to auditors on performing engagements to examine controls at service organizations, which companies rely on to achieve compliance with internal control reporting. As the AICPA has developed the exam, large audit firms have already been gearing up to perform the new service where companies elect it.
The audit profession is optimistic that this new cyber exam could become a de facto baseline for companies doing business with one another. “Today there isn’t really a consistent way that’s market-accepted to evaluate controls from company to company,” says Herrygers. “If certain companies get this exam done and they have it as a general use exam, others will see that they have it, and then competitors will want to get it if it gives them a competitive advantage.”
The new exam uses the COSO Internal Control — Integrated Framework, which nearly all public companies use as the basis for their internal control over financial reporting, as the “spine” of the exam, says Herrygers. “You will see familiar linkage around the risk assessment, control activities, monitoring,” she says. “All those elements of COSO are there.”
The exam will not be limited, however, to programs built around the COSO framework or any other framework, Herrygers assures. The marketplace offers a number of accepted frameworks for managing cyber risk, including NIST, ISO, ITIL, and others. “The way the exam is structured, there’s flexibility in what control framework the company is using,” she says.