In a speech at Baruch College’s 18th Annual Financial Reporting Conference, PCAOB member Kathleen Hamm stated: “Technology offers the promise of combining increased efficiencies with improved effectiveness, resulting in enhanced audit quality” (May 2, 2019, http://bit.ly/2HNfgxa). Emerging technologies, however, also contain potential threats from coding errors, unintended bias, and unauthorized access, and Hamm highlighted a recent SEC study of nine public companies victimized by cyberfraud. She also expressed a personal view that auditors should consider cybersecurity in their audit risk assessments, and referenced the AICPA guide, Reporting on an Entity’s Cybersecurity Risk Management Program and Controls (May 2017, http://bit.ly/2MmBk6f).
SEC Spotlight on Cybersecurity
The PCAOB is definitely considering the implications of cyberrisks on the audit process. For example, a June 2018 PCAOB Standing Advisory Group meeting on cyber-security discussed recent high-profile cyberevents, as well as new audit industry guidance, including the AICPA Center for Audit Quality and cybersecurity resources (http://bit.ly/2EMsfh3). The Staff Preview of Inspections indicated that approximately 10% of PCAOB audit inspections in 2018 featured cybersecurity incidents during the audit period, although not all had a financial statement impact (http://bit.ly/2W07nZf). Furthermore, the Inspections Outlook for 2019 states that the PCAOB will continue to evaluate the audit processes used to identify cyber risks (http://bit.ly/2YY3DJI).
Following Hamm’s lead, this month’s column will focus on cybersecurity tools for CPAs, as presented by three accounting standards setters.
SEC Spotlight on Cybersecurity
The SEC’s “Spotlight” webpage on cybersecurity provides information for investors, issuers, public companies, investment advisors, broker-dealers, and self-regulatory organizations (https://www.sec.gov/spotlight/cybersecurity). The SEC’s guidance focuses on management disclosure of material cybersecurity risks and incidents, rather than on independent attestation by CPAs. Hamm’s speech called attention to the SEC’s “Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements,” Exchange Act Release 84429 (October 2018, http://bit.ly/2QCr2xo), which covered nine issuers that lost a combined total of almost $100 million to cyberfraud.
The SEC’s early statements on cybersecurity issues include “Corporate Finance Disclosure Guidance: Topic No. 2—Cybersecurity,” published in October 2011 (http://bit.ly/2JPOcj7). This guidance discusses how cybersecurity risks and cyberincidents fit into already existing financial reporting disclosure requirements for general risk factors. For example, cyberrisks and incidents should be covered in management’s discussion and analysis (MD&A) if the costs or other consequences are likely to have a material effect on operations, liquidity, or financial condition; however, disclosure that would compromise an organization’s cybersecurity is not required.
More detailed guidelines were issued in February 2018 in the 24-page “Commission Statement and Guidance on Public Company Cybersecurity Disclosures” (http://bit.ly/2wwxywq). This interpretive release addresses disclosure obligations, materiality, risk factors, MD&A, and financial statement disclosures. Two new topics are cybersecurity policies and procedures and the application of cyber-security issues to insider trading prohibitions.
The webpage provides some interesting investor information as well, with investor bulletins on social media and investing, avoiding fraud, and stock rumors. The bulletins include action steps and contact information for help. “Protecting Your Online Investment Accounts from Fraud” (April 2017, http://bit.ly/2Kj99Cz) includes outstanding points on mobile devices and storing personal information on the cloud.
Financial Industry Regulatory Authority Cybersecurity
According to Financial Industry Regulatory Authority (FINRA) staff, cybersecurity is frequently identified in their examination processes as one of the top risks that companies face. FINRA’s Cybersecurity webpage (http://www.finra.org/industry/cybersecurity) offers two studies on best practices for cybersecurity. It is important to note that the 2018 report builds on the original 2015 document. Report on Cybersecurity Practices (2015, http://bit.ly/2W3B1Nl) is a 46-page downloadable PDF that covers overall cybersecurity issues, such as governance and risk management, cybersecurity risk assessment, and staff training. Appendix I is a useful bullet-point summary of the principles and practices covered in the report. Report on Selected Cybersecurity Practices (2018, http://bit.ly/2MuW9MK) is 19-page document targeted to particularly major concerns and specifically addresses cybersecurity controls in branch offices, phishing attacks, insider threats, penetration testing programs, and mobile devices. The appendix summarizes core cybersecurity concerns for small firms, from patching and updating operating systems and software to creating policies and procedures.
FINRA makes quick access to the highlights of the most recent 2018 report available as a “Few Minutes with FINRA” 30-minute video, which covers the purpose of the 2018 study and how it builds on the 2015 report (http://bit.ly/2KhBHwc). A related 25-minute podcast, “Bits & Bytes: A Look at Effective Cybersecurity Practices,” discusses specific issues covered in the 2018 report (http://bit.ly/30ZObPa).
The webpage also provides several resources for small firms, beginning with a useful “Checklist for a Small Firm’s Cybersecurity Program,” developed from FINRA’s best practices report and the National Institute of Standards and Technology (NIST) framework (http://bit.ly/2HMWbLG). The checklist a downloadable Excel worksheet with 12 sections, including links to helpful resources.
AICPA Cybersecurity Resource Center
The AICPA’s Cybersecurity Center (http://bit.ly/2wymP4o) presents a large selection of resources for CPA firms, CPAs providing advisory services, and CPAs providing assurance services. Many of the materials are only accessible with basic AICPA or section membership, but there are several good tools available to the public. Readers who are interested in cybersecurity, especially with regard to consulting services, are encouraged to take a look at the AICPA’s “one-stop shop” webpage. The cyber-security main page also offers a selection of AICPA articles and links to other organization websites, such as the Committee of Sponsoring Organizations (COSO), the Institute of Risk Management (IRM), the Institute of Internal Auditors (IIA), and the National Institute of Standards and Technology (NIST), as well as access to AICPA guides and professional standards affecting cybersecurity engagements.
AICPA Cybersecurity Resource Center
The AICPA’s Cybersecurity Risk Management Reporting Framework (http://bit.ly/2XqSQao) is a flexible tool to help CPAs provide information to managers and other decision makers about the effectiveness of an entity’s System and Organization Controls (SOC) for cybersecurity. An SOC for Cybersecurity (SOC-C) engagement includes 1) management’s description of the organization’s cybersecurity risk management program, 2) an evaluation of the effectiveness of the cybersecurity controls, and 3) guidance for reporting on the program and controls. SOC-C engagements are voluntary and can be part of CPA advisory or attestation services.
Three resources offer a good explanation of the SOC-C concepts, including a seven-minute video, “Introduction to the AICPA’s Cybersecurity Risk Management Framework,” which presents an excellent brief overview of the purpose and focus of cybersecurity engagements (http://bit.ly/2XqSQao). “SOC for Cybersecurity: a Backgrounder” is a 13-page booklet with an easy summary of cyber-security risks, information, and cybersecurity services that CPA firms can offer, the objective of the reporting framework, the evaluation process, and the intended audience (http://bit.ly/30Vu4S6). A nonauthoritative “Illustrative Cybersecurity Risk Management Report” provides examples of management’s assertions regarding the description of the entity’s cybersecurity risk management program, an independent accountant’s report on the description, and a review of the description criteria and application to the specific organization (http://bit.ly/2QCtvIa).