Armanino Blog

Identifying Cyber Risks in an Audit

by Liam Collins
September 24, 2018

As the frequency and severity of cyberattacks have increased, data security should be a critical part of the audit risk assessment. The Public Company Accounting Oversight Board (PCAOB) made cybersecurity one of the areas of focus for inspection about three years ago. Here’s what that project has revealed so far.

Increased scrutiny

During a June 2018 meeting of the Standing Advisory Group, PCAOB inspectors reported that public company auditors today are increasingly focused on matters related to cybersecurity. And they’re trying to adjust their audit procedures accordingly.

In recent years, PCAOB inspectors have interviewed auditors of companies that have experienced a breach into their computer systems. They’ve sought to find out how the auditors and their firms responded to the incidents.

Audit firms have provided varying levels of guidance, both when assessing risk at the start of the engagement and when uncovering a cybersecurity incident that occurred during audit fieldwork or the period under audit. Many firms are actually factoring cybersecurity issues into their risk assessment at this point in time, and there is a real focus on developing real understanding about cybersecurity incidents, reported William Powers, deputy director for technology in the PCAOB’s Division of Registration and Inspections.

Auditors have also been retaining audit evidence about what their clients have been doing to understand the breaches of their computer systems.

Beyond IT

Most companies today view cybersecurity as a business problem, not just as an information technology (IT) issue. Powers reported that, as a result, audit committees are extremely interested in hearing what the auditors have to say about cybersecurity and have been vocal about what their expectations are relative to what the auditors are doing on cybersecurity.

In addition, companies and their auditors must evaluate the costs associated with cybersecurity breaches, which may not always be apparent. Powers said that cost is like an iceberg: You realize 85% of the iceberg is under the sea, and you can’t really see it. Those costs are the costs that companies are wrestling with, and certainly costs that auditors are wrestling with, when they look at financial statement presentations.

Work in progress

The PCAOB hasn’t found any material misstatements on a public company’s financial statements as a result of a cybersecurity breach. But there is a risk that future cyberattacks may affect financial reporting. So, the PCAOB is planning to expand its inspection program this year to explore what auditors are doing to protect client and stakeholder data.

The PCAOB will be looking for firms’ cybersecurity strategies, what is their governance, basically managing and overseeing that strategy, Powers said. How do they identify and prioritize risks? What kind of controls do they establish? But equally as important, how do they monitor that those controls are operating effectively?

Specifically, the PCAOB hopes to gain insight into:

  • How companies evaluate, manage and respond to cyber risks and cyber incidents
  • The implications of cyber risks and cyber incidents for financial reporting, including disclosure obligations in filings with the Securities and Exchange Commission (SEC)
  • Auditor responsibilities as part of an audit of financial statements or internal controls over financial reporting related to cyber risks and cyber incidents
  • How audit firms evaluate, manage and respond to their own cyber risks and cyber incidents

PCAOB inspectors also want to understand how auditors establish and maintain timely communications with audit committees and external stakeholders.

Universal risk factor

The PCAOB’s inspection project targets audits of public companies. But private companies can also be victims of cyberattacks—and the effects may be even more devastating for companies with fewer resources to absorb the losses and assign dedicated staff to respond to breaches.

The PCAOB’s findings underscore the need for auditors of entities of all sizes to modify their procedures to answer key questions about cyber risks and the effectiveness of their audit clients’ internal controls.

September 24, 2018

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Liam Collins - Partner, Audit - San Francisco CA | Armanino
Related News & Insights
Women in Life Sciences ESG
Join us for a blooming ESG discussion and a floral arrangement workshop!

July 20, 2022 | 03:00 PM - 05:00 PM PT
Unleash Your Nonprofit’s Fundraising Cloud Strategy
Realizing you need to replace outdated and siloed technology is step one.

July 19, 2022 | 01:00 PM - 01:30 PM PT
Why SaaS Metrics Matter Webinar Thumbnail
Discover how collecting and reporting the right SaaS metrics can help analyze the health of your organization.

July 19, 2022 | 10:00 AM - 11:00 AM PT