image

The Role of Auditors in Company-Prepared Cybersecurity Information: Present and Future

Introduction

In December 2019, the Center for Audit Quality (CAQ) developed and issued a publication, The Role of Auditors in Company-Prepared Information: Present and Future, which provides a foundational understanding of the current role of auditors in various types of company-prepared and publicly disclosed information and discusses how auditors are positioned to enhance the reliability of decision-useful company-prepared information.

Cybersecurity can have pervasive impacts on companies. Organizations face numerous threats with varying consequences—all in an environment marked by rapid technological change. With technology advancing and the COVID-19 pandemic causing increased remote working arrangements, companies are facing new and evolving cybersecurity threats. In response, regulators, investors, and other stakeholders are increasingly interested in understanding more about the impact of cybersecurity on the global economy. In its July 2020 report, The World Economic Forum ranked “Cyber-attacks and data fraud due to a sustained shift in working patterns” as the third (of 10) most worrisome risk for companies. It is a strategic imperative that companies promote cybersecurity resilience and build trust in their cybersecurity practices. Companies can differentiate themselves by providing greater transparency around how they are addressing cybersecurity risks.

In this publication, we will provide an overview of the types of company-prepared information—both required and voluntary—that have been observed in the marketplace to describe to stakeholders how companies are addressing cybersecurity risks. We will discuss the role auditors play in cybersecurity as it relates to the audit of the financial statements and how the auditor’s role in cybersecurity could evolve beyond the financial statements to better meet the evolving needs of investors, senior management, boards of directors, and other pertinent stakeholders.

We also provide key questions board members can consider as they discuss company-prepared cybersecurity information with management and public company auditors.

W A T C H

Profession in Focus | Cybersecurity

What is the nature of cybersecurity risk? What is the auditor’s role in this critical and evolving area? This video presents views from guests who have appeared on the Center for Audit Quality’s “Profession in Focus” video series, including CAQ Governing Board Member Barry Melancon, President and Chief Executive Officer of the Association of International Certified Professional Accountants, American Institute of CPAs.

About the Center for Audit Quality

The Center for Audit Quality (CAQ) is an autonomous public policy organization dedicated to enhancing investor confidence and public trust in the global capital markets. The CAQ fosters high-quality performance by public company auditors; convenes and collaborates with other stakeholders to advance the discussion of critical issues that require action and intervention; and advocates policies and standards that promote public company auditors’ objectivity, effectiveness, and responsiveness to dynamic market conditions. Based in Washington, DC, the CAQ is affiliated with the American Institute of CPAs.

Please note that this publication is intended as general information and should not be relied on as being definitive or all-inclusive. As with all other CAQ resources, this publication is not authoritative, and readers are urged to refer to relevant rules and standards. If legal advice or other expert assistance is required, the services of a competent professional should be sought. The CAQ makes no representations, warranties, or guarantees about, and assumes no responsibility for, the content or application of the material contained herein. The CAQ expressly disclaims all liability for any damages arising out of the use of, reference to, or reliance on this material. This publication does not represent an official position of the CAQ, its board, or its members.