Where could auditors play a greater role beyond the audit of the financial statements?
The scale and complexity of the cybersecurity challenge has grown exponentially. As a result, there has been an increasing call from stakeholders for information related to cybersecurity and for robust conversations on these topics. Everyone has a role to play in promoting cybersecurity resilience. Before exploring how auditors could play a greater role in cybersecurity disclosures beyond those included in the audited financial statements, it is important to consider the needs of the various stakeholders.
Analysts and investors may want to consider information about a company’s cybersecurity measures when making investment decisions. This information can help them understand the cybersecurity risks that could threaten the achievement of the company’s operational, reporting, legal, and regulatory objectives—each having the potential to impact a company’s market value. According to an article from the World Economic Forum, cyber risk is rapidly becoming an important factor to consider when making investing decisions, as it is a key component of an enterprise’s viability.
To help fulfill their oversight responsibilities, boards of directors need information about the company’s cybersecurity program and the cybersecurity threats the company faces. They also want information that will help them evaluate the company’s effectiveness in managing cybersecurity risks.
Company management may need information about how business partners (e.g., vendors) with whom they do business manage their cybersecurity risks. This information can help management understand and assess the risks arising from doing business with such business partners (for example, a manufacturer needs to be able to rely on a key vendor’s ability to provide goods/services in the event of a disruption to its IT systems). Likewise, business partners may need information about the company’s cybersecurity program to evaluate the business relationship.
Auditors, in their public interest role, play a significant role in the flow of comparable and reliable information for decision-making, including disclosures about cybersecurity. Auditors can provide advisory or attestation services on company-prepared cybersecurity information that may bring discipline to management’s voluntary cybersecurity disclosures and to the organization’s cybersecurity risk management program. Some of those services may enhance the trust and confidence stakeholders—including boards of directors, investors, and business partners—have in the cybersecurity information that companies report. These services might include the following:
Companies within the same industry can face different cybersecurity risks; therefore, their cybersecurity risk management programs are not identical. Consequently, companies and stakeholders can benefit from the use of a framework to promote a level of consistency among companies’ cybersecurity disclosures while also enabling companies to communicate specific cybersecurity threats they face and how they are responding to them.
With respect to attestation engagements, to enable auditors to conduct the examination, the AICPA developed a reporting framework that provides a common approach to communicating, evaluating, and reporting on company’s cybersecurity risk management program. The reporting framework, known as Systems and Organization Controls (SOC) for Cybersecurity, includes three key components designed to assist stakeholders in understanding a company’s cybersecurity risk management program:
i. Management’s description of the company’s cybersecurity risk management program
ii. Management’s assertion that the program meets the framework criteria
iii. The Practitioner’s opinion
Management can use the framework to determine key components of the company’s cybersecurity risk management program to communicate in order to meet the information needs of users. Additionally, auditors can use the criteria in the AICPA’s SOC for Cybersecurity framework to opine on the cybersecurity risk management program’s design and on the effectiveness of controls management has designed to achieve the organization’s cybersecurity objectives. The practitioner’s report (i.e., their opinion) may assist boards of directors, senior management, and other pertinent stakeholders as they evaluate the effectiveness of their organization’s cybersecurity risk management programs.