Our mission at the PCAOB calls on us to protect investors and the public interest by overseeing one particular aspect of the financial reporting ecosystem: the preparation of informative, accurate, and independent audit reports. I’d like to discuss an emerging area for our oversight—cybersecurity. Specifically, I’d like to explore the dangers posed and how cybersecurity presents a threat to our financial reporting system. I’d like to also share my thoughts on what audit professionals can do to strengthen cybersecurity and resiliency in our financial reporting system. But before I do, let me give a brief update on what the PCAOB accomplished last year and where we are heading.
PCAOB Activities Update
This April marked the first full year with an entirely new PCAOB board in place, a board that by design brought together members with diverse expertise, skill sets, and perspectives. Over much of the past year, my colleagues and I have worked hard, individually and collectively, to understand and assess the PCAOB’s core programs and operations. We have also probed whether and how we can improve the PCAOB’s ability to more effectively accomplish our mission.
Last month, the PCAOB published our 2018 annual report, the first annual report reflecting the oversight of the new board. We completed and approved two long-awaited standards: accounting for estimates—including fair value—and the use of specialists. The public comment period with the SEC ended last week on both. If approved, these two standards will apply to audits of financial statements for fiscal year ending on or after December 15, 2020.
On our research agenda, we prioritize data and technology and quality control. We tapped our two advisory groups, the standing advisory group and the investor advisory group, to provide us insight on each of these topics. We also convened a task force of private-sector experts to advise us on emerging technologies and data analytics and their effect on the audit.
We helped practitioners, investors, and other stakeholders prepare for the implementation of the last and most significant phase of the new auditor’s report: the reporting of critical audit matters. We issued our first postimplementation review of a PCAOB standard. That standard was AS 1220, and it related to engagement quality review.
We also created a new Office of External Affairs to spear-head our efforts to increase our accessibility and engagement with our stakeholders, especially investors, audit committees, and preparers. We began the process of revisiting our approach to conducting and communicating the results of our inspections, and we awarded over $3 million in scholarships to 332 accounting students, with funds from penalties collected in our enforcement actions.
These results reflect some key priorities identified during a far-reaching strategic planning process that we began last year. That process started with the board querying our personnel, bottom to top, on what the PCAOB did well and where we could improve. We also reached out to a broad, diverse set of external stakeholders for their views and suggestions. We conducted a public survey and one-on-one interviews, and board members embarked on listening tours.
After extensive consultation and deliberation inside and out, last November we published our five-year strategic plan. That plan has five goals. Two look inward: becoming more efficient and effective with our resources and empowering our people for success in prudent risk-taking to promote our mission. The remaining three goals look outward.
These external strategies are: One, we are committed to driving audit quality forward through the combination of prevention, detection, deterrence, and enforcement. Two, we have pledged to enhance our transparency and accessibility through proactive stakeholder engagement, with a particular focus on reaching out to investors, audit committees, and preparers. Third, we have dedicated ourselves to anticipating and responding to a changing environment; in particular, to preparing for the opportunities and the risks that emerging technologies present to financial reporting and auditing.
The Benefits and Risks of Technology
Why is technology a key strategic imperative for us? While we do not know precisely how or when, we do know that emerging technologies and data analytics will fundamentally change the way financial information is reported, how audits are conducted, and ultimately how we at the PCAOB perform our work. More and more, companies now use algorithms and robotic process automation [RPA] to perform finance tasks. They are also increasing their use of advanced analytics and artificial intelligence in their financial reporting.
Auditors, in turn, are exploring new approaches to technology and analytics to perform their assurance functions. Today, some auditors use drones for inventory observations. Tomorrow, data analytics could replace sampling techniques with analysis of all transactions and accounts. Eventually, blockchain and distributed ledger technology could make confirmations a thing of the past.
Technology offers the promise of combining increased efficiency with improved effectiveness, resulting in enhanced audit quality. Freed from time-consuming manual reviews, technology may provide auditors with more time to exercise their business and financial expertise. That time could help auditors sharpen their professional skepticism and their ability to more effectively identify indicators of error and fraud. That additional time could also allow auditors to more deeply probe the potential root causes of identified issues and concerns.
But for all their promise, emerging technologies present real risks. Coding errors present inherent threats. Some occur during development; others can occur when changes are made after deployment. Still other errors may lie dormant for extended periods of time. Some experts estimate that between 15 and 50 coding errors exist for every 1,000 lines of code. Given the complexity of many software applications and solutions, many of which contain millions or tens of millions of lines of code, the risk of material errors is not trivial.
The threat also exists for unintended or algorithmic bias. This bias occurs when systematic, repeatable errors in software or computer systems cause unfair outcomes, arbitrarily favoring one result over another. Bias can emerge from the design of an algorithm itself or through unintended or unanticipated uses of the algorithm. For example, software designed to automate the analysis of real estate leases may prove feeble at analyzing equipment leases. Bias can also occur from the way data is coded, collected, selected, and used to train algorithms. These algorithms underpin machine learning and related artificial intelligence solutions.
The Downside of Interoperability
Unauthorized access to information systems and data also presents a significant threat. Amplifying this threat is how interconnected we all are to one another through technology and communication networks and systems. This interconnection occurs through domestic and international telecommunications, financial, retail and host sale payment, and clearing and settlement systems. It also occurs through the Internet.
Today, we communicate and engage in commerce through the Internet. Organizations of all types—energy, transportation, healthcare, financial services, nonprofits and humanitarian groups, and governments—operate on the Internet. Vast amounts of personal and other data are accessible there, too. A key characteristic of the Internet is interoperability—the ability for different networks, systems, and devices, as well as applications, to connect, exchange, and use data across organizations and sovereign borders. Security was an afterthought at best.
And now everyday objects, so-called “Internet of things” devices, are connected to the Internet as well. Personal computers, smartphones, cars, thermostats, electrical appliances, lights, even cardiac monitors, to name a few, send and receive huge amounts of data, largely unfettered by country boundaries.
Technology offers the promise of combining increased efficiency with improved effectiveness, resulting in enhanced audit quality.
To fully appreciate the magnitude, scope, and speed of this change, think about this. In 2003, just a year after the establishment of the PCAOB, half a billion devices were connected to the Internet around the globe. By next year, Internet-connected devices are expected to have increased 60-fold, to almost 31 billion. This translates into nearly four devices for every man, woman, and child on the planet.
With this unprecedented access comes peril. Until recently, though, much like the Internet itself, little thought was typically given to the security of these devices. This means 31 billion potential access points for criminals, hacktivists, independent digital malcontents, and even rogue nation-states.
Earlier this year, the U.S. Director of National Intelligence released a report outlining the greatest dangers facing the United States and our intelligence community’s proposed response to those dangers. One of the threats was cybersecurity and resiliency. The threat includes the loss of proprietary and sensitive information, the manipulation and destruction of data systems and networks, and even harm to physical assets, as well as the related costs and the undermining of confidence in our institutions. While acknowledging the heightened awareness of cyberthreats and improved cyberdefenses, the report was sobering in its conclusion that nearly all information communication networks and systems will be at risk.
The report continues that our adversaries, both state and nonstate actors, are using cyber access and capabilities to advance their own strategic and economic interests. As we integrate technology into everything we do, the report notes that cyberthreats will pose increasing risks to our economic prosperity and public health and safety.
Similarly, in January, the World Economic Forum highlighted rising dependencies of economies on Internet connectivity and digital information, citing data fraud or theft and cyberattacks as the fourth and fifth most likely sources of global risk in 2019. In its prior year report, the forum highlighted a study that projects that cybercrime will cost businesses $8 trillion over the next five years.
How Cyberthreats Affect Companies
Now let’s put a finer point on specifically how cyberthreats can affect financial reporting. Just over a year ago, the SEC brought a settled enforcement action against the company formerly known as Yahoo for misleading investors by failing to disclose one of the world’s largest data breaches. Yahoo’s successor paid a $35 million penalty for that violation. This was the SEC’s first action against a company for a cybersecurity disclosure violation.
To recap, in late 2014, hackers associated with the Russian Federation infiltrated Yahoo systems and stole personal data relating to hundreds of millions of user accounts. Within days of the intrusion, Yahoo’s information security team understood that the company’s so-called crown jewels had been exfiltrated. This stolen data included usernames, e-mail addresses, telephone numbers, birth-dates, encrypted passwords, and security questions and answers for the compromised accounts.
While information on the breach was reported to Yahoo’s senior management and legal department, the company failed to properly investigate the incident or adequately consider whether the breach needed to be disclosed to investors. The company also kept its auditors and its outside lawyers in the dark. The breach was only disclosed publicly more than two years later, when Yahoo’s operating business was being acquired by Verizon. Ultimately, because of that breach, Verizon lowered its purchase price for Yahoo by $350 million, representing a 7.25% discount.
Among other things, the SEC found that Yahoo failed over a two-year period to make required disclosures about the breach and its potential business impact and legal implications in its quarterly and annual reports. In those filings, instead of disclosing that an actual breach had occurred, the company merely stated that it faced the risk of and potential negative effects from data breaches. Importantly, the SEC also found that Yahoo failed to appropriately design and maintain effective disclosure controls and procedures that ensured the timely assessment and escalation of cyberincidents from Yahoo’s security information team.
Relatedly, earlier this year, $29 million was paid to settle private derivative actions alleging that the former directors and officers of Yahoo violated their fiduciary duties of care by failing to properly oversee the company’s handling of a series of cyberattacks from 2013 to 2016. These cyberattacks allegedly involved as many as three billion user accounts and included the data breach that formed the basis for the SEC’s enforcement action.
Of note, this settlement also represents another first. It was the first monetary recovery in a derivative action involving a data breach. Until then, settlements of data breach–related derivative lawsuits included governance changes and modest attorney fees, but no cash awards.
Our adversaries, both state and nonstate actors, are using cyber access and capabilities to advance their own strategic and economic interests.
Last October, the SEC issued an investigative report highlighting a specific type of cyber-enabled fraud that victimized nine companies. It involved criminals using manipulated or spoofed e-mail addresses and domains to impersonate company executives and vendors to dupe employees into making unauthorized payments. Over the course of weeks or months, each of the nine companies lost at least $1 million, with one losing more than $45 million; collectively, the companies lost nearly $100 million. Most of the money was not recovered. In some instances, the frauds were only detected after inquiry from law enforcement or an outside party.
What happened in these instances? The scams came in two varieties. The first type involved criminals masquerading as company executives, sending e-mails to mid-level finance employees with authority to transmit funds. The e-mails typically made urgent requests for funds to be wired to purported foreign bank accounts of well-known law firms to facilitate supposed fast-moving mergers. The e-mails also instructed the employees to keep the request secret. Then, instead of going to the law firms, the funds were wired to the bank accounts controlled by the criminals.
The second, more sophisticated variant involves criminals hacking into the actual e-mail accounts of companies’ foreign vendors. After fooling company employees into revealing actual purchase order or invoice information, the hackers then tricked the employees into replacing the vendors’ payment information with routing information to bank accounts controlled by the hackers.
While declining to bring enforcement actions against the companies, the SEC used the report to underscore the obligations of public companies to devise and maintain sufficient systems of internal accounting control. By statute, these systems must provide reasonable assurance that granting of access to the company’s assets and execution of company transactions are only done in accordance with the general and specific authorization of management.
According to the SEC, the hackers succeeded in large part because company personnel was unaware of or did not understand their company’s internal controls. Those employees failed to recognize multiple red flags indicating that a fraudulent scheme was under way. The commission further cautioned public companies to be mindful of cyberthreats when designing and maintaining internal accounting controls.
To put these threats into perspective, the FBI estimates that business e-mail compromises have cost companies more than $5 billion over the past five years. Given the likelihood of underreporting, that actual figure might be substantially higher. In fact, some empirical evidence suggests that companies withhold information from investors on more severe cyberattacks, especially when management appears to believe that the attacks will not be independently discovered.
What Auditors Can Do
What is the role of the auditor as it relates to these and other cybersecurity threats facing our financial reporting system? Today, based on our current standards, an auditor of public company financial statements plays an important, but limited, role with respect to cybersecurity. The auditor does not broadly evaluate the company’s overall cybersecurity risk or the design and operating effectiveness of nonfinancial controls adopted by the company to mitigate that risk.
Instead, as it relates to cybersecurity, the auditor focuses on information technology that the public company uses to prepare financial statements. The auditor also focuses on automated controls around financial reporting, such as controls around the reliability of underlying data and reports. When doing integrated audits, the auditor also separately assesses companies’ internal controls over financial reporting.
With respect to cybersecurity disclosures by a public company, a financial statement auditor plays two distinct but likewise limited roles. For cybersecurity-related incidences reflected in the financial statements themselves, the auditor evaluates whether those statements, taken as a whole, are fairly presented in accordance with generally accepted accounting principles in all material respects. For example, if a company establishes a material contingent liability for an actual cyberinci-dent, then the auditor would need to evaluate in the overall context of the financial statements the appropriateness of the disclosure of that liability in the footnotes of those statements.
The auditor plays an even more limited role when cyber-related information is not contained in the financial statements themselves, but elsewhere in the company’s annual report. Here, the auditor need not corroborate the information in the report; instead, the auditor need only read and consider whether the cyber-related information in the report or its presentation is materially misleading, is a material mis-statement of fact, or is materially inconsistent with the information in the financial statement.
According to the SEC, the hackers succeeded in large part because company personnel was unaware of or did not understand their company’s internal controls.
Can auditors do more? Unless an organization runs entirely on manual processes without using technology or the Internet, I believe auditors should consider cybersecurity as part of the risk assessment. Few enterprises are totally devoid of cybersecurity risk, particularly public companies.
We know some auditors are laser focused on cybersecurity and have taken steps to specifically consider cyberthreats when assessing the risks of material misstatement in the financial statements of public companies. Whether or not a cyberincident has occurred, during the planning process an auditor must perform a risk assessment, and I believe that assessment should consider any cybersecurity risks that could have a material effect on the company’s financial statements. If the auditor identifies a risk related to cyber-security that could have a material effect on a company’s financial statements, the auditor should then design and execute procedures to address those risks. For an integrated audit, this work would include testing relevant controls.
To begin the risk assessment, an auditor must obtain an understanding of the company and its external and internal environment. This understanding, of course, includes the company’s IT systems relevant to financial reporting, along with any related subsystems. This also includes understanding the potential access points into these systems, as well as the logical access controls over the systems.
As part of the risk assessment, I believe an auditor should also understand the methods used by the company to prevent and detect cyberincidents that could have a material effect on the financial statements, the company’s processes that block and identify attempted unauthorized transactions or access to assets, and employees’ familiarity with those processes.
Other areas of focus should include the company’s processes to assess and address material cyberincidents once identified. This includes understanding, for example, how the company ensures timely evaluation and reporting up the management ladder of material incidences. It also includes how the company ensures appropriate escalation to the board and timely consideration of disclosure obligations to investors and others.
When performing these risk assessments, I encourage auditors to think broadly. As companies become more digitally linked to their vendors, customers, and employees, the potential entry points and attack surfaces multiply. We also know that threat actors usually target the weakest link to gain entry: a website and an email account. Once inside, threat actors typically seek to move laterally throughout the organization’s IT architecture, looking to gain entry and access into systems they can exploit. As a result, an auditor should be clear-eyed about the risk that attackers can operate under the guise of legitimate users, ultimately accessing the systems or subsystems that support the financial reporting process.
Even if a specific cyberincident has not been identified, it is important for an auditor to remain professionally skeptical throughout the audit. According to a recent study, the average time to identify a breach is 196 days, more than six months. Therefore, a real possibility exists that a breach has occurred and has not yet been identified or disclosed to the engagement team.
What is an auditor’s responsibility if a company experiences a cyberinci-dent? Of course, the auditor must assess the nature and extent of the breach, including what was stolen, altered, or destroyed. The auditor should also consider the expected effect of the breach on the company’s operations. Armed with that information, the auditor should consider the financial statements and the financial implications of the breach. The financial effects could include the loss of revenue from disrupted operations and the cost associated with securing, reconfiguring, and replacing systems. Costs could also include the fees associated with conducting forensic inquiries and defending against enforcement investigations and civil actions, as well as paying regulatory fines and civil monetary penalties to harmed private individuals.
Beyond that, the auditor should also assess whether the incident resulted from a deficiency in the company’s internal controls over financial reporting, and whether the company has put in place procedures to prevent similar future incidences. The auditor should also explore with management and the audit committee the nature and type of disclosures that the company is considering in its financial statements or notes to those statements.
Can auditors do more? Unless an organization runs entirely on manual processes without using technology or the Internet, … auditors should consider cybersecurity as part of the risk assessment.
An auditor’s obligation to assess the risk of material misstatement continues throughout the audit. Therefore, if the auditor obtains information about a cyberincident during the audit, then the auditor should evaluate whether that incident has an effect on the previously performed risk assessment. If so, the auditor would need to revise the risk assessment and appropriately modify the planned audit procedures, potentially performing additional procedures. Regardless of the effect on the risk assessment, the auditor would need to document relevant considerations of the cyberincident on the audit.
Finally, even when a cyberincident may not appear to be material to the financial statements, if an auditor becomes aware of a possible illegal act related to the incident, the auditor would need to make sure that the company’s audit committee is adequately informed about it as soon as practical. Such an incident could occur if management, notwithstanding a legal requirement, failed to timely disclose a breach of customers’ personally identifiable information.
A Shared Responsibility
Cybersecurity represents one of the most significant economic, operational, and national security threats of our time. It is a key risk to investors and our capital markets as well. How do we respond? One thing is for sure: we all must take responsibility. The government, private institutions, and individuals each share responsibility for protecting our individual and collective assets and each other from cyberthreats.
Public companies and their officers and directors have important roles as well. So do auditors. Given the magnitude of the threat, we can only effectively respond if we act together. Thank you for giving me this opportunity to share my thoughts on a topic I’m passionate about.