Auditors are arming up to take a more front-line position in the escalating cyber-war, but for this year’s audit cycle their scope is still limited as ever to the context of financial statements.
The role of external auditors in combatting cyber-risk is a bit murky to many in capital markets. Internal auditors may be looking more deeply at cyber-risk, but external auditors also ask a lot of questions about the policies and procedures companies have in place with respect to cyber-security. Yet they don’t provide any kind of backstop on a company’s resilience to a possible cyber-attack. So what’s with all the questions? And why can’t they do more?
Lately, auditors’ questions are driven by an intersection of heightened cyber-risk to financial statements with a heightened focus on audit quality in general by regulators, especially the Public Company Accounting Oversight Board.
The increased cyber-risk is evident to most in business these days. Although the headlines of late have focused more on hacks with political consequences, the risks to private firms are not going away. A recent report from Accenture says an alarming one-third of all focused and targeted cyber-breach attempts is successful in breaking into the company’s network.
At the same time, through its inspection program in recent years, the PCAOB has pressed auditors to provide greater assurance around data managed within information systems. In audit parlance, auditors need to gather more audit evidence around the design and operating effectiveness of information technology general controls. That means they need a better answer for the question: How do we know the data coming from these systems is complete and accurate?
“When you think of cyber-security risks as it relates to what we do for the integrated audit, it’s a much more narrow risk. It’s specifically related to financial reporting and internal control over financial reporting.”
Sandy Herrygers, IT Specialist Leader, Deloitte
“From a regulatory standpoint, we are being asked a lot more questions about cyber-security,” says Mike Yates, a partner at Crowe Horwath. “It’s all about controls, identifying information, and understanding management’s risk assessment process that they go through.”
Auditing standards require auditors to understand how the company uses information technology and how that affects the fair presentation of financial information in financial statements. To the extent cyber-security is a risk to the completeness and accuracy of that information—and who could argue that it isn’t?—that’s where auditors are asking questions.
“We’re not looking deep into the cyber-security program,” says Sara Lord, national director of assurance services at audit firm RSM. “We would be asking questions like: Do you have a cyber-security risk management program? Do you have something in place if a cyber-event happens around how you would respond? Have you had a cyber-event? It’s top level.”
The PCAOB hasn’t been overly vocal about cyber-risks specifically, says Jeff Ward, national managing partner for third party attestation services at audit firm BDO USA. Instead, the board and inspectors are focused on what auditing standards require around assessing the risks associated with IT general controls, and that logically includes cyber-risks.
ACCESS PATH TO IT SYSTEM
The following diagram from the Center for Audit Quality depicts the typical access path to an IT system.
As hackers become more sophisticated and breaches become more commonplace, that means the risk is growing, which means audit scrutiny should be growing as well. “Controls need to adapt at a much more rapid pace than a typical control that might be in place,” says Ward. “The technology is increasing, so the controls should evolve at a faster pace. If you’re relying on older procedures and older technologies, this will come into question more.”
Under current auditing standards, auditors’ questions will fall into three major buckets, says Sandy Herrygers, IT specialist leader at Deloitte. First, auditors need to understand how a company uses IT as it relates to the flow of transactions all the way to each line material item in financial statements. Next, auditors need to understand the risks arising from IT and how IT is used in the financial reporting process.
Auditing standards contains some direct language around IT risks, says Herrygers, especially around access controls and change management. “It’s those access risks that most directly relate to cyber-security risks,” she says.
Cyber-security is a broad topic that speaks to a number of business risks, not just financial reporting, but also compliance more broadly and even operations. “When you think of cyber-security as it relates to what we do for the integrated audit, it’s a much narrower risk,” says Herrygers. “It’s specifically related to financial reporting and internal control over financial reporting. This is the most important differentiation point.”
The auditor’s primary focus is on the controls and systems that are in the closest proximity to the application data of interest to then audit—that is, systems and applications that house financial statement-related data. It is important to note that cyber-incidents usually first occur through the perimeter and internal network layers, which tend to be further removed from the application, database, and operating systems that are typically included in access control testing of systems that affect the financial statements.
Source: Center for Audit Quality
The third area of questioning for auditors is around whether a company has experienced a cyber-breach, says Herrygers. “We basically have to consider the potential impact of that breach as it relates to financial reporting and related internal controls the company has in place,” she says. Auditors evaluate whether there are control deficiencies underlying the breach that are relevant for financial reporting controls. “We focus on the accounting and disclosure that’s been done around that breach.” That might include any contingent liabilities that would need to be recorded and any financial statement disclosures that would be necessary.
Although there are plenty of frameworks and tools available to examine cyber-risk, the American Institute of Certified Public Accountants is developing a new tool for auditors that would enable them to look deeper at cyber-risks, but it won’t be ready for 2016 year-end audits and it won’t be mandatory.
The AICPA is developing cyber-exam criteria for both management and auditors to use to help them assess their cyber-risk management and report it more effectively to all stakeholders. The idea is to give both corporate management and auditors guidance on how to evaluate everything the company has done to ward off a cyber-attack and cope with one if or when it happens.
The two-part package is meant to not only help companies better understand their cyber-resilience, but also to make it more efficient for them to report on their cyber-readiness to any number of stakeholders. It’s a bit like audits that service organizations secure when their internal controls are important to their clients’ financial statement assertions.
As cyber risk-escalates, more companies are concerned about how safe their information is when it is entrusted to third parties, says Yates. Some companies have gotten more proactive about protecting their own systems, but may have little or no idea how secure their data is in the hands of third parties. “You shouldn’t worry just about your own house,” he says. “You should worry about the people you do business with. That’s going to gain a lot of traction here soon.”