Frustrating Risk With the Right Internal Control Framework

With the year-end audit approaching, now is the time for companies to look closely at one relatively new pain point in corporate audits—IT and cyber-security controls—to assure that the conversation is appropriately targeted toward risk.

External auditors no doubt will be scrutinizing IT controls that are important to financial statements, as the Public Company Accounting Oversight Board continues to give auditors poor marks in that area. Johnny Lee, a managing director at Grant Thornton who focuses on forensic accounting, says the interactions between external audit and IT staff will go much faster and easier if everyone can stay focused on risk.

“The conversation is difficult if you start straying too far from a risk-based discussion,” he says. “What are the core risks you’re trying to have us speak to in the control environment?”

Cyber-security has become major focus in corporate IT circles in recent years, but that does not mean auditors and IT folks are focused on the same priorities or even working from the same standards or frameworks. That’s where the chief compliance officer needs to step into the discussion, says Worth MacMurray, senior vice president at compliance services provider GAN Integrity.

Auditors almost always follow the COSO Internal Control-Integrated Framework in their audit of financial statements and internal controls important to financial reporting, because that’s the framework almost all companies follow to satisfy their Sarbanes-Oxley reporting requirements. IT staff, however, might be following any number of frameworks that have different objectives, because the IT needs of any given company encompass much more than just financial reporting.

“The chief compliance officer can play a significant role in aligning those various parties because of their skill set,” MacMurray says. “They are used to dealing with a complex, multijurisdictional environment. It’s quite analogous to dealing with anti-corruption.”

It’s a common point of confusion, especially with audit committees, says Sandy Herrygers, a partner and IT specialist at Deloitte. “If you’re looking at a cyber-security program broadly, that’s going to cover all facets of the business: operational, processes, systems, and financial reporting,” she says. “If you’re looking at information systems controls that are tested as part of an integrated audit, you’re looking at a narrow slice of controls related to systems that are relevant to financial reporting.”

“No one framework is right for any company. It has to be supplemented with broader knowledge, skills, expertise, to really elevate the risk in that environment.”
David Roath, Partner, PwC

David Roath, a partner in risk assurance for PwC who focuses on cyber-security and other IT risks, says the COSO framework looks at controls from a higher level compared with many of the IT frameworks used today. “Other IT frameworks are more security- and privacy-oriented,” he says.

He’s thinking of the NIST framework, for example, produced by the National Institute of Standards and Technology and intended foremost for critical infrastructure industries such as public utilities. Others are published by the International Organization for Standardization, or ISACA and its Control Objectives for Information and Related Technology framework (better known as CoBIT).

CYBER-RISK FOCUS FOR AUDIT COMMITTEES

Below, KPMG outlines four key areas of focus to determine whether “management has its arms around cyber-risk.”
Periodically review management’s cyber security risk assessment. Every company should be conducting cyber security risk assessments as a matter of course. What are the company’s highest value digital assets, and what are the greatest threats and risks to those assets? How quickly will the company know if a security breach occurs? In a robust cyber security risk assessment, key areas of focus will include: cyber-security leadership and governance, human factors or “people risks,” legal and regulatory compliance, business continuity, operations and technology, and information risk. If the company has the right internal resources, the cyber security risk assessment can be conducted internally; however, as the cyber threat becomes more sophisticated, the company may need to call on recognized security specialists for support.

Understand the company’s cyber-security strategy and governance structure and how it fits into the company’s ERM program. Once viewed as a stand-alone program, cyber-security is increasingly a multi-disciplinary process that is integrated into the company’s ERM processes and overall governance structure. Does the cyber-security strategy and governance structure reflect an understanding of the company’s data security priorities and security gaps? How are we deploying our financial and human capital to protect these assets against the greatest threats? Management needs to demonstrate that it is “skating to where the puck is going”—i.e., our cyber-security efforts must continuously improve to protect the company as our businesses and technologies evolve and cyber-threats become more sophisticated. Does leadership understand our cyber-security priorities and risks?
Insist on a cyber-security scorecard. As a matter of routine at each meeting, many audit committees and boards review with management a cyber-security scorecard, which typically shows (for the most recent period): the volume of identified cyber-incidents; the materiality and nature of cyber-incidents and how they are being managed; key trends and what is happening in the external environment (e.g., in the private and public sector and on the legislative front). A good cyber-security scorecard—which develops and evolves over time—helps to improve both the quality of cyber-information and the quality of director dialogue regarding cyber-security.
Understand the company’s cyber-incident response plan. As one leading CIO recently told us, it’s challenging to define a precise process or a set of concrete steps for managing a cyber-incident because cyber-incidents don’t all have the same attributes and implications for the company or its customers. That said, incident management is a critical component of an overall cyber-risk program, and the effectiveness of the incident response plan will depend on several factors. First, scenario planning is critical, and all the key players—including the communications, legal, and policy teams—need to be involved. Second, it’s important to establish clear accountability—if you have a breach, who is responsible for doing what? The final piece involves decision making—particularly if an incident has external implications, as most do. When third parties or customers might need to be notified, it’s important to have a framework for making those decisions—sometimes very quickly.
Source: KPMG.

“The interesting thing is that these are just frameworks,” Roath says. “It’s guidance. It doesn’t mean it’s how it has to be. When we do assessments, we’re looking broadly at security, privacy, maturity. We will incorporate different pieces of any of those frameworks. No one framework is right for any company. It has to be supplemented with broader knowledge, skills, expertise, to really elevate the risk in that environment.”

Adventures in Mapping

Brian Palazini, a systems architect at sensor-maker Analog Devices, has been involved in mapping exercises to reconcile the requirements of different frameworks for different purposes. He’s seeing some demands from different constituencies to make more use of the NIST framework, which experts say is becoming more common for U.S.-based companies as cyber-security attacks have become more routine. “It’s pretty painful to try to do those matrices, mapping it back to a specific source document,” he says. “It’s a lot of manual work.”

Mapping across frameworks is an “unfortunate reality” for anyone working with an external auditor who answers to the PCAOB, says David Brand, managing director in the IT audit practice at consulting firm Protiviti.

“The PCAOB is swinging a big stick in the IT space,” he says. “It consumes so much time and effort to comply with COSO and external audit expectations; it pushes some of the other things out to the edge. Some IT departments don’t have time to do other things because they are so focused on getting all of this stuff right for one individual regulatory requirement.”

Bob Hirth, chairman of COSO, says he doesn’t see any conflict between COSO and other IT frameworks. “NIST and other frameworks are more granular and appropriately more detailed than COSO,” he says. “If you follow those, you can tick off many things in the COSO framework.” And much of what the IT frameworks cover is not relevant to financial reporting, he says. “For example, if you have a retailer with credit card information, that may not fall with SOX, because SOX is focused on a limited subset of internal controls.”

Cyrus Amir-Mokri, a partner at law firm Skadden, Arps, Slate, Meagher & Flom, says the situation is not unlike others where companies face multiple regulators pushing different regulatory requirements. “We are probably making more of the differences between standards than actually exists,” he says. Companies choose different IT frameworks based on their particular needs, and some companies are further along in addressing IT security than others, he says.

With so many frameworks and standards in play, that’s one of the reasons chief compliance officers need to help make sense of it, says Pamela Passman, president and CEO for consulting firm CREATe.org, formerly corporate vice president in charge of global regulatory affairs for Microsoft. “This is where the new normal is headed,” she says. “The first movers are trying to have a comprehensive approach in this cyber-security area, but these are the early days. The chief compliance officer and general counsel can really play a role here.”

Lee agrees companies need to be careful not to get lost in the details. “I don’t think the adoption of one framework over another changes the dialogue one bit,” he says. “If you can get away from which framework is important and talk about which control objectives are important, you’re going to have a far more productive dialogue. If we have to marry your checklist of 237 points to my checklist of 182 points, that’s going to be a long day.”