The panel featured Douglas Bloom, JD, director of the cybersecurity and privacy and financial crimes unit at PricewaterhouseCoopers; Chris Halterman, CPA, executive director of advisory services and Ernst & Young LLP; and Amy Park, CPA, partner at Deloitte and Touche LLP. Patrick McNamee, CPA, former deputy chief auditor at the PCAOB’s Office of the Chief Auditor, moderated the panel. The following is an edited and condensed summary of the panel discussion. The views expressed are the panelists’ own personal views and not necessarily those of their employers or those employers’ boards, management, or staff.
* * *
McNamee began by citing a New York Times story about the potential for quantum computing to completely disrupt current encryption technology. Bloom then discussed the state of cybersecurity in general. The three main security threats are currently compromised email, ransomware, and foreign sabotage. Of the latter, he said that “nation-states are aiming at doing damage either for economic reasons or for political reasons. That has become far more prevalent and has become a problem for private industry battling very sophisticated actors.”
Halterman, who chaired the AICPA working group on cyber-security, said that the group used the Statement of Financial Accounting Concepts (SFAC) as a guideline for how management should report on its cybersecurity risk management efforts. “What are the qualitative characteristics of that information, in terms of relevance, faithful representation, materiality, and comparability? … Management should describe its program, but that description should be free from material misstatement. And there may be a need for an auditor to examine and report on management’s assertion about the effectiveness of its controls. The cybersecurity framework, which he likened to the COSO internal control framework, is available on the AICPA website.
Halterman also touched on how System and Organization Control (SOC) reporting for cybersecurity differs from SOC 2 reporting. “SOC 2 is formulated to answer the questions of a customer about what controls you have in place, and are those operating individually. That generally relates to only a single system or a limited number of systems. SOC for cybersecurity relates to the enterprise taken as a whole, and to a different set of decisions. Also, SOC 2 is a restricted use report, and the goal behind SOC for cybersecurity was to provide a report for general use.”
Cryptocurrencies and Blockchain
Next, McNamee asked Park to discuss cryptocurrencies. “The blockchain technology, by having a peer-to-peer network, removes that third-party intermediary, which allows for quicker transaction speed. It reduces transaction costs. I no longer have to pay that third party, and we can transact in a real-time manner,” Park explained. As for cryptocurrencies, she said, “A lot of people think about it [e.g., Bitcoin] like cash, but the big difference, and a common misunderstanding, is that there’s no legal tender for cryptocurrencies. It’s not backed by a sovereign government.”
When accounting for cryptocurrencies, Park said that current practice is to treat them as indefinite-life intangible assets. “When you look at the definition, an intangible asset is anything that lacks physical substance. And as an intangible asset, you have to record things at the lower of cost or market, subject to an impairment test. If you think about Bitcoin and its fluctuation, that may not be a very accurate reflection of the economics, but because of GAAP, that’s where we are.” Park also said that companies that hold cryptocurrencies for sale as part of their ordinary course of business could account for those cryptocurrencies as inventory, albeit under limited circumstances. Finally, she noted that hedge funds and other investment companies that hold cryptocurrency positions are accounting for them at fair value.
“A lot of people think that maybe fair market value or mark-to-market accounting is more appropriate,” Park commented. The subject has not yet been brought before the board; one hurdle, in her view, is that “FASB’s not going to just make new accounting standards for issues that aren’t pervasive. It seems like companies that are holding cryptocurrencies are not holding material amounts. And a lot of companies that say that they accept Bitcoin just use a third-party payment processor who will automatically convert it to U.S. dollars.”
Auditing the Blockchain
Next, McNamee asked Halterman about the implications of blockchain technology for the profession. Halterman said that the AICPA is looking at blockchain in terms of its audit implications and SOC reporting. More broadly, he said, “we need to think about the implications of the technology. What are the risks, and how do you audit the controls around those risks?”
Compliance and operations perspectives also present questions, Halterman continued. “What happens if personal information is loaded into a blockchain database that has multiple custodians, and in one of those records someone asserts the right to be forgotten under the GDPR [General Data Protection Regulation]. Who is responsible for removing that record? How can you remove that record? Does it destroy the integrity of the blockchain?”
McNamee asked whether there was a difference in the kind of evidence to look for when auditing a blockchain. “I think there is,” Halterman said, “because there’s an opportunity to interact with the blockchain because it is in a public space. Different parties have agreed to the correctness of the contents of that blockchain; confirmation by multiple external parties is really fantastic audit evidence as long as it exists. … Does it eliminate risk? Risks are never eliminated; they’re transformed into other risks. Does it transform the risk into something that the company can mitigate better, or has it simply transformed the risk into something it doesn’t understand and may be completely out of balance with its risk appetite?”
McNamee then turned to Bloom to talk about cryptocurrency and blockchain from a cybersecurity perspective. Bloom emphasized that the blockchain is “very secure,” but noted that modifying input to and output from the blockchain is still possible. “You can create a vault around the blockchain, but you can’t stop people from manipulating the inputs and the outputs. That’s where the real security risk takes place.”
Asked what skills auditors need to have to properly evaluate cybersecurity and technology risks, Halterman said that some engagements may require multiple specialists. “Getting an understanding of what the organization is actually doing doesn’t involve talking to one person and one department,” he said. “It involves talking to people in multiple departments who speak different languages.” Park added that knowledge of emerging technology is already becoming a part of accounting curricula and firms’ general requirements for new hires. ‘You can’t enter the workforce today and not understand some of the basic emerging technologies,” she said. “Where is that going to go 5, 10, 15, 20 years from now? Who knows? But think about 5, 10, 15, 20 years ago, how different the auditor looked back then, compared to today.”