In 2018, U.S. organizations that suffered a data breach lost an average of $7.91 million as a result. That is the highest average organizational cost of all the countries and regions covered in the 2018 Cost of a Data Breach Study by IBM and independent research firm Ponemon Institute. Malicious or criminal attacks were the source of more than half of those breaches, rather than system glitches and human errors.
With so much at stake, it is no surprise that auditors consider these issues when conducting their audit risk assessments. This audit season, prepare to answer questions about cybersecurity and the effectiveness of your company’s internal controls against cyberthreats.
Inspections of public companies
In recent years, Public Company Accounting Oversight Board (PCAOB) inspectors have interviewed auditors of companies that have experienced a breach into their computer systems to find out how the auditors and their firms responded to the incidents. They report that auditors today are increasingly focused on matters related to cybersecurity.
Audit firms have provided varying levels of guidance, both when assessing risk at the start of an engagement and when uncovering a cybersecurity incident that occurred during audit fieldwork or the period under audit.
“Many of the firms are actually factoring cybersecurity issues into their risk assessment at this point in time, and there is a real focus on developing real understanding about cybersecurity incidents,” reported William Powers, deputy director for technology in the PCAOB’s Division of Registration and Inspections.
Possible questions that auditors might ask during fieldwork include:
- How does management identify and prioritize cyberrisks?
- What kind of internal controls has management established to safeguard digital assets and sensitive data (such as formal policies and procedures, employee training and the use of security analytics)?
- How does management monitor internal controls to ensure effective operation?
- Does management have a detailed breach response plan?
- If a breach occurred during the accounting period, how did management respond and how much did it cost?
- Has the company purchased cyber liability and breach response insurance?
The PCAOB has not yet found any material misstatements on a public company’s financial statements as a result of a cybersecurity breach. But there is a risk that future attacks may affect financial reporting. So, the PCAOB is planning to expand its inspection program to explore what auditors are doing to protect clients’ data and stakeholder data.
Universal risk factor
PCAOB inspectors target audits of public companies. But private companies also can be victims of cyberattacks — and the effects may be even more devastating for companies with fewer resources to absorb the losses and assign dedicated staff to respond to breaches.
The increasing frequency and severity of cyberattacks underscores the need for auditors of entities of all sizes to update their procedures. It is our job to ask key questions about cyberrisks and the effectiveness of your internal controls. The answers, in turn, can help you formulate more effective governance strategies.