Cybersecurity Risk Management Oversight: A Tool for Board Members

June 2018

cyber-tool.pngA new tool issued by the Center for Audit Quality aims to assist board members in their oversight of data security and cybersecurity risks and disclosures by providing key questions board members can use in their discussions with management and auditors. The tool further provides key resources from leaders in the area of cybersecurity. The goal of this Tool is two-fold. First, it is intended to better educate board members and others charged with governance and provide discussion starters for them to properly evaluate their cyber risks. Second, it is meant to be a tool for auditors to help them assess how actively involved the board members and others charged with governance are in assessing these risks.
 

Overview

This spring, the Center for Audit Quality (CAQ) released a new tool, Cybersecurity Risk Management Oversight: A Tool for Board Members, as a resource for board members in their oversight of data and cybersecurity risk.
The tool provides resources and key questions board members can use in their discussions with management and auditors organized into four sections:
  1. Understanding how the financial statement auditor considers cybersecurity risk
  2. Understanding the role of management and responsibilities of the financial statement auditor related to cybersecurity disclosures
  3. Understanding management’s approach to cybersecurity risk management
  4. Understanding how CPA firms can assist boards of directors in their oversight of cybersecurity risk management
Cybersecurity has rapidly become a significant risk to businesses as breaches of information continue to result in financial and reputational damage, diminish investor confidence, and expose organizations to potential regulatory fines. It is important for board members to recognize and address cybersecurity risk. One key element is to ask open-ended questions of management and auditors, each of whom have valuable and varying perspectives that may benefit those charged with governance. The board may further determine that an outside advisor is required in evaluating the company’s mitigation of cybersecurity risk. The CAQ Tool has provided suggested questions to assist in these conversations.

Understanding how the financial statement auditor considers cybersecurity risk
The CAQ recognizes that “the financial statement auditor considers cybersecurity in two key contexts: (1) the audits of financial statements and, if applicable, ICFR; and (2) financial statement other disclosures.”
It is the responsibility of the audit committee to approve audit and non-audit services as well as understand the overall audit strategy. Auditors may be engaged for financial statement audits, financial statement audits that include reviews of ICFR, or in an advisory role outside of the audit of financial statements. It is important that the board fully understands the scope of work to be performed by the auditor and how cybersecurity is considered within this context by asking open ended questions resulting in productive discussion. The board should continue to have an open dialogue with auditors to understand roles and responsibilities related to cybersecurity risk.

Understanding the role of management and responsibilities of the financial statement auditor related to cybersecurity disclosures
The release of The SEC Commission Statement and Guidance on Public Company Cybersecurity Disclosures reinforces the focus on and demand for transparent and complete information regarding cybersecurity risk in all SEC filings including annual and periodic filings (e.g., Form 10-Q). These recommendations are applicable to nonissuers as well. While stakeholders must understand it is impossible to address all cyber risks in a company’s filings, the expectation is that known risks, policies and procedures, incidents, and programs should be communicated. Companies are charged with telling their own cyber risk story and in order to properly oversee this component, the board must understand broadly the risks and mitigating factors, together with the responsibilities and expertise of all the resources at their disposal.

Understanding management’s approach to cybersecurity risk management
As the “Internet of Things” (IoT) quickly becomes a reality, and cyber risk evolves to include all aspects of a company’s operations, it has become increasingly necessary for management to develop a comprehensive cybersecurity risk management program. Often companies have cybersecurity integrated throughout their enterprise risk management. It is the board’s responsibility to oversee these programs and ensure transparent disclosure to stakeholders.

Understanding how CPA firms can assist boards of directors in their oversight of cybersecurity risk management
CPA firms are in an advantageous position to support boards in their oversight of cybersecurity.  These firms bring core skills such as skepticism and innovation, values such as independence and objectivity, and experience from a broad range of clients and knowledge - most firms even have teams specializing in cybersecurity. It is important to understand independence considerations in addition to the potential service offerings.

Next Steps
The CAQ Cybersecurity Risk Management Oversight: A Tool for Board Members serves as a valuable resource to board members in the execution of their oversight duties with respect to increasing transparency, consistency and reliability within the financial reporting chain. It further should be referenced by auditors as they strive to provide guidance to audit committees in this critical risk management area.

BDO continues to provide financial reporting resources, specifically related to cybersecurity, including the following recently issued tools and resources audit committees may find helpful:
 
Recommended Resources
Cybersecurity: Resources Boards Want to Know About BDO Webinar – registration coming soon August 2018
CAQ’s Cybersecurity Risk Management Oversight : A Tool for Board Members CAQ Publication April 2018
2018 Shareholder Meetings – What’s on Deck? BDO Webinar March 2018
SEC Commission Statement and Guidance on Public Company Cybersecurity Disclosures SEC Guidance February 2018
What’s on the Minds of Boards? BDO Webinar November 2017
Are You Cyber Aware?: 10 Cybersecurity Questions for Senior Executives BDO Practice Aid October 2017
Cyber Risk Management : What You Need to Know Now BDO Publication October 2017
2017 BDO Cyber Governance Survey BDO Survey September 2017
Introducing SOC for Cybersecurity: Translating Cyber Risk for Every Stakeholder BDO Publication June 2017
AICPA SOC for Cybersecurity – What You Need to Know Now BDO Webinar June 2017
The CPA’s Role in Addressing Cybersecurity Risk CAQ Publication May 2017
Cybersecurity Officially Reaches the Board – Twelve Questions Every Board Should Ask D&B Article June 2017
What Boards Need to Know about Cybersecurity (But may be Afraid to Ask) Webinar March 2017
We commend the CAQ for continuing to produce valuable tools and resources on this topic and others relevant to boards of directors. We will continue to highlight these and other activities, trends, and relevant discussions points to our client audit committees and management teams through our Center for Corporate Governance and Financial Reporting.
 

For more information, please contact one of the following practice leaders: 
 
Jeff Ward
Third-Party Attestation Practice Leader
  Bryan Martin
National Assurance Partner

 
Amy Rojik
National Assurance Partner