PCAOB board member wants auditors to be more vigilant about cybersecurity
The Public Company Accounting Oversight Board may begin asking auditors to look at cybersecurity when assessing risks at the companies they audit.
PCAOB board member Kathleen Hamm called for more auditors to consider cybersecurity when performing their audit risk assessments after high-profile data breaches in recent years at all too many companies.
“We know some auditors are laser-focused on cybersecurity and have taken steps to specifically consider cyber-threats when assessing the risks of a material misstatement in the financial statements of public companies,” she said at a financial reporting conference at Baruch College in New York on Thursday. “Whether or not a cyber-incident has occurred during the planning process, an auditor must perform a risk assessment, and I believe that assessment should consider any cybersecurity risks that could have a material effect on the company’s financial statements.”
Hamm highlighted a data breach at Yahoo that occurred in 2014: The company initially reported the breach in 2016 and said it affected at least 500 million user accounts, later upping the estimate to about 1 billion accounts. Then in 2017, Verizon, which had acquired Yahoo, admitted that the data breach affected 3 billion accounts, or practically every single one of its users. Last year, the Securities and Exchange Commission levied a $35 million fine against Yahoo’s holding company Altaba for failing to fully disclose the data breach.
Hamm noted at the outset of her speech that she was speaking on her own behalf and not expressing the views of the PCAOB as a whole — but she had a number of recommendations about what auditors should be doing.
“If the auditor identifies a risk related to cybersecurity that could have a material effect on a company’s financial statements, an auditor should then design and execute procedures to address those risks,” she said. “For an integrated audit, this work would include testing the relevant controls. To begin the risk assessment, an auditor must obtain an understanding of the company and its external and internal environment. This understanding, of course, includes the company’s IT systems relevant to financial reporting, along with any related subsystems. This also includes understanding the potential access points into these systems, as well as the logical access controls over the systems. As part of the risk assessment, I believe an auditor should also understand the methods used by a company to prevent and detect cyber-incidences that could have a material effect on the financial statements, the company’s processes that can block and identify attempted unauthorized transactions or access to assets, as well as employees’ familiarity with those processes. Other areas of focus should include the company’s processes to assess and address material cyber-incidences once they’re identified. This includes understanding, for example, how the company ensures timely evaluation and reporting of material incidences. It also includes how the company ensures appropriate escalation to the board and timely consideration of exposure obligations to investors and others.”
Hamm believes auditors also need to be aware of the vulnerabilities that could exist within a client’s supply chain and its employee and customer base. “When performing these risk assessments, I encourage auditors to think broadly,” she said. “Why? As companies become more digitally linked to their vendors, customers and employees, the potential entry points and attack surfaces multiply. We also know that threat actors usually target the weakest link to gain entry: a website and an email account. And once inside, threat actors typically seek to move laterally throughout the organization’s IT architecture looking to gain entry and access into systems they can exploit. As a result, an auditor should be clear-eyed about the risks that attackers can operate under the guise of legitimate users, ultimately accessing the company’s systems or subsystems that support a financial reporting process.”
Hamm called on auditors to remain skeptical, even if their clients haven’t uncovered a data breach yet. “Even if a specific cyber-incident has not been identified, it is important for the auditor to remain professionally skeptical throughout,” she said. “Why? According to a recent study, the average time to identify a breach is 196 days — more than six months. Therefore a real possibility exists that a breach has occurred and has not yet been identified or disclosed to the engagement team.”
She had some advice for what auditors should do when an attack has been detected. “What is the auditor’s responsibility if the company has experienced a cyber-incident? Of course, the auditor must assess the danger and extent of the breach, including what was stolen, altered or destroyed,” she said. “The auditor should also consider the expected effect of the breach on the company’s operations. Armed with that information, the auditor should consider the financial statements and the financial implications of the breach. ... Beyond that the auditor should also assess whether the incident resulted from a deficiency in the company’s internal controls over financial reporting and whether the company has put in place procedures to prevent similar future incidences. The auditor should also explore with management and the audit committee the nature and type of disclosures that the company is considering in its financial statements or notes to those statements.”
The need to be vigilant continues throughout the audit process: "If during the audit, the auditor obtains information about a cyber-incident, then the auditor should evaluate whether that incident has an effect on the previously performed risk assessment," she said. "Regardless of the effect on the risk assessment, the auditor would need to document relevant considerations of the cyber-incident on the audit. Finally, even when a cyber-incident may not appear to be material to the financial statements, if an auditor becomes aware of a possible illegal act related to the incident, the auditor would need to assure themselves that the company’s audit committee was adequately informed about it as soon as practical. ... Cybersecurity represents one of the most significant economic, operational and national security threats of our time. It is a key risk to investors and our capital markets as well.”
The PCAOB is starting to require the auditors of the largest public companies to disclose critical audit matters in their audit reports in June, and Hamm was asked by an audience member about whether the CAMs should include cybersecurity information.
“Specifically for CAMs, it needs to relate to the specific account or disclosure to trigger it, but a cyber-incident or overall cyber-risk can be factored into what the auditor is considering when they’re assessing the CAMs,” she responded.
Looking back, and abroad
Earlier in the conference, the chairman of the Financial Accounting Standards Board, Russell Golden, reflected back on his tenure at the board and the transition to a new chairman, who is expected to be announced before Golden’s term ends next June.
“Next month will usher in my last full year as FASB chairman,” he said. “It will mark the end of a decade on the board, and a 16-year career with the organization. It’s been an honor to serve on the FASB. And I’ve learned a lot, due in no small part to the people I’ve met and worked with along the way. They include my colleagues on the board, the outstanding FASB staff — and stakeholders like you, who follow our activities, share your input, and even listen to my speeches.”
He noted that in 2013, when he took over as chairman, FASB faced many challenges, especially its ongoing convergence efforts with International Financial Reporting Standards. “I believed — and still do — that more comparable global accounting standards help reduce complexity and costs in financial reporting, costs that are often borne by U.S. multinational corporations,” said Golden. “But by 2013, we’d come to realize that the ideal of a single set of high-quality global accounting standards was just that — an ideal. Different starting points, different cultures and different legal systems made bilateral convergence impossible to achieve.”
In 2014, FASB and the International Accounting Standards Board issued their long-awaited converged standard on revenue recognition. That was followed in 2016 by a less converged standard on leases in which Golden acknowledged the two boards differed on expense recognition. The two standard-setting boards also later diverged on the credit losses standard in their financial instruments project, where FASB opted for a current expected credit loss model.
“We continue to believe that the CECL model best serves the interests of U.S. investors — and that it better reflects, in a timelier fashion, the credit risks of loans on an institution’s balance sheet,” said Golden.
The two boards also ultimately didn’t come up with a converged insurance accounting standard. “When we embarked on this joint project, the IASB did not have a measurement standard for insurance,” said Golden. “The FASB, on the other hand, had extensive GAAP guidance in this area. Initially, the FASB and IASB set out to overhaul accounting for all insurance contracts. But when we issued our proposed overhaul, U.S. stakeholders — especially investors — told us there was no significant need for fundamental change to GAAP guidance for short-duration contracts. So we decided to change course and focus on making targeted changes to existing GAAP. In 2015, we issued improved disclosure requirements for short-duration insurance contracts. And last year, the FASB issued a new standard for insurance companies that issue long-duration contracts, such as life insurance. I’m proud of what we accomplished in those joint projects. I’m also proud of our success in forging a new model for how we support the goal of more comparable, high-quality accounting standards worldwide.”
He said the two boards are continuing to work together to improve global accounting standards. “We continue to learn from each other,” said Golden. “Later this year, the FASB and the IASB will have another joint meeting in London to discuss common projects. Over the past five years, we’ve also helped improve IFRS through our membership in the Accounting Standards Advisory Forum, or ASAF. The ASAF was created by the IFRS Foundation in 2014. Its purpose is to advise the IASB as it develops IFRS. The FASB serves on the ASAF with representatives of other national standard-setting boards. At ASAF meetings, we share insights with the IASB on its projects and other financial reporting issues. The FASB’s participation on the ASAF is an important opportunity to represent U.S. interests in the IASB’s standard-setting process. It’s proved to be yet another valuable opportunity to work together with other standard-setters on issues of common interest. And it helps all of us continue the process of improving GAAP, IFRS and other national standards.”
FASB is working with standard-setters in other countries such as Canada, Japan, Italy, China, Korea, Australia, France and the United Kingdom. Next year, FASB will host a meeting of the International Forum of Accounting Standard Setters in Washington, D.C.
“These relationships are critical to developing better and more comparable standards across the globe,” said Golden. "So what’s left for the FASB to do on the international front? Plenty. But, above all, to keep making progress. I think the FASB should continue to engage with stakeholders — in the United States and abroad — to make GAAP the very best it can be for those who use and apply it. I think the FASB should continue to work with the IASB, our strongest ally in the financial reporting space. We should continue to share our research and potential solutions to standard-setting problems. I think we should follow the IASB’s lead and remain focused on improving the financial statement. And leave sustainability reporting and other performance metrics — however important they may be — to other experts. And I think the FASB should continue to build its relationships with national standard-setters, and to share research and potential solutions on issues of common interest. But most of all, I think the FASB should continue to actively engage you, our stakeholders, in the standard-setting process.”
In a separate address to the attendees, Securities and Exchange Commission chief accountant Wesley Bricker talked about the commission’s involvement with accounting and auditing standard-setters worldwide through the Monitoring Group, a group of regulatory and international financial organizations that he is now co-chairing.
“The Monitoring Group's work is done in view of promoting international audit quality in order to strengthen confidence in the audit of financial statements, in particular, those of public companies," he said, noting that he plans to continue to collaborate with other members to improve auditing standards internationally.
“The approach I have taken over the past year has been, and will continue to be, collaboration with and among Monitoring Group members, including exchanging views on ways to strengthen the effectiveness of the structure and governance of setting international audit-related standards,” said Bricker. “I have also urged continuous improvement as a parallel, current and an ongoing responsibility of all the organizations involved in the overall structure for setting international audit-related standards, including the standard-setting boards, the International Federation of Accountants, the Public Interest Oversight Board and the Monitoring Group.”