Auditors assessing cybersecurity risks
Auditors can help companies improve the reliability of their cybersecurity disclosures, according to a new report from the Center for Audit Quality.
The report, The Role of Auditors in Company-Prepared Cybersecurity Information: Present and Future, offers an overview of the kinds of disclosures that companies are making about their cybersecurity risks, how auditors are currently assessing those risks, and how that role could change in the future as auditors provide advisory or attestation services involving the cybersecurity information provided by companies.
Cybersecurity can have a widespread impact on companies, leaving some organizations vulnerable to hackers and ransomware attacks. As technology advances and the COVID-19 pandemic spurs more companies to adopt remote work arrangements, companies are dealing with new and evolving cybersecurity threats. In response, regulators, investors and other constituents want to know more about the cybersecurity risks facing companies.
“As the scale and complexity of cybersecurity challenges has grown exponentially in recent years, investors and other stakeholders may find information beyond the disclosures required by the Securities and Exchange Commission helpful for decision making,” said CAQ executive director Julie Bell Lindsay in a statement Tuesday. “In their public interest role, auditors could bring additional discipline to voluntary cybersecurity disclosures and company cybersecurity risk management programs, enhancing stakeholders’ trust and confidence in such information.”
Most companies disclose some cybersecurity information in their SEC filings, but the information is often limited and general in nature.
The CAQ report includes some questions that board members should keep in mind when they talk about cybersecurity with company management and auditors. A dialogue can improve their understanding of how the company is managing its cybersecurity risks, as well as clarify the auditor’s responsibility for cybersecurity risk considerations and any extra services that accounting firms may offer for the company’s risk management program and related disclosures.
For a copy of the report, visit www.caq.org.