Cybersecurity and the Auditor’s Role
What is the auditor’s current role?
As cybersecurity risks evolve, the auditor should continue to evaluate the potential for cybersecurity incidents to have a material impact on the financial statements. Auditing standards require the financial statement auditor to obtain an understanding of how the company uses information technology (IT) and the impact of IT on the financial statements. This includes an understanding of the extent of the company’s automated controls as they relate to financial reporting, the IT general controls that are important to the effective operation of automated controls, and the reliability of data and reports produced by the company and used in the financial reporting process. In assessing the risks of material misstatement to the financial statements—including IT risks resulting from unauthorized access—financial statement auditors are required to consider their understanding of the company’s IT systems and controls.
In a company’s IT environment, the systems and data in scope for most financial statement audits usually are a subset of the totality of systems and data used to support the company’s overall business operations; the auditor’s focus is on access controls and changes to systems and data, computer operations controls, and the reliability of company-prepared information using systems and data that could impact the financial statements and the effectiveness of internal control over financial reporting (ICFR).
It is important to remember that a company’s overall IT platform includes systems and related data that address not only financial reporting processes but also the operational and compliance needs of the entire organization. Diagram A depicts the typical access path to an IT system - work through the path by clicking or tapping on each layer.
The financial statement auditor’s primary focus is on the controls and systems that are in the closest proximity to the application data of interest to the audit of the financial statements and when applicable of ICFR—that is, on those layers that, if breached, may allow access to the systems and applications that house financial statement–related data. Audit procedures are then developed to address each company’s unique IT environment. Many cybersecurity incidents first occur through the perimeter and internal network layers, which tend to be further removed from the application, database, and operating systems that are typically included in access control testing of systems that affect the financial statements. However, the cybersecurity risk landscape has evolved, and the frequency and complexity of cybersecurity attacks continues to change. For example, there have been cybersecurity incidents resulting in the disbursement of unauthorized funds (e.g., a wire transfer) originating through the compromise of the company’s email system. Such incidents may not necessarily be sophisticated in the use of technology; instead, they have adapted to exploit weaknesses in the company’s policies and procedures that are vulnerable to cybersecurity risk today.
As part of risk assessment and planning, auditors would broadly consider cybersecurity risks that could have a material effect on the company’s financial statements and, in an integrated audit, ICFR. Considerations related to cybersecurity risks include the potential financial impact of such risks on the financial statements and the inability of an organization to issue financial statements in a timely manner because of a breach of its financial reporting systems (e.g., due to a ransomware attack). For example, auditors may obtain an understanding of the company’s business operations that give rise to cybersecurity risk and, to the extent such risks are deemed material to the company’s financial statements, adjust their audit plan accordingly to address those risks. Common areas that may have exposure to cybersecurity risk include processes where bank accountant information is modified and funds are disbursed (e.g., wire transfer). In addition, certain technical controls are tested in areas of security, change management, and operations to address cybersecurity risk. Cybersecurity risk is a spectrum, and while the risk profile may vary across organizations, it is unlikely that a company is immune to cybersecurity risk in today’s environment.
W A T C H
Profession in Focus | Andrew Cotton, EY
This 2018 episode of Profession in Focus features EY's Andrew Cotton discussing mounting efforts by companies to manage cybersecurity risks, the “very big investments” CPA firms are making in cybersecurity expertise, and the potential benefits of the American Institute of CPA’s SOC for Cybersecurity framework.
With respect to the company’s cybersecurity disclosures, the auditor’s responsibilities depend on whether the disclosures are included in the audited financial statements or elsewhere in the Form 10-K. If the disclosure is included in the audited financial statements, the auditor performs procedures to assess whether the financial statements, taken as a whole, are presented fairly, in all material respects. Included in the auditor’s assessment are procedures specific to the financial statement disclosures. For example, when a cybersecurity breach that has a material financial statement impact occurs, the auditor would perform procedures around the affected account balances and assess whether the disclosures related to material contingent liabilities, if any, are reasonable in relation to the financial statements taken as a whole. In addition, the auditor would need to consider the impact of this incident on management’s assessment of ICFR.
In contrast, if the cybersecurity disclosure is presented outside the audited financial statements, such as MD&A, the auditor’s responsibilities are different. The auditor would follow the guidance in paragraphs 4 and 5 of the Public Company Accounting Oversight Board (PCAOB) Auditing Standard 2710, Other Information in Documents Containing Audited Financial Statements. This auditing standard requires auditors to read the other information in documents containing the audited financial statements and consider whether such information or the manner of its presentation is materially inconsistent with information appearing in the audited financial statements or contains a material misstatement of fact. Note that reading and considering information involves substantially less work than that required in an audit. Even if a company has extensive disclosures in MD&A about its cybersecurity risk management program, the auditor is not required to perform any procedures in the audit of the financial statements or ICFR to evaluate the appropriateness of the design and implementation of the company’s cybersecurity risk management program or its effectiveness or consider the broader cybersecurity risks that may affect the organization.
While cybersecurity is not explicitly addressed in auditing standards, the PCAOB has highlighted that cybersecurity risks will continue to be a focus of its inspections and has highlighted cybersecurity and the role of auditors in evaluating cybersecurity risks in board speeches and other communications.