The Center for Audit Quality releases new guidance on Cybersecurity Risk Management Oversight: A Tool for Board Members

Guidance can help organizations establish dialogue with financial statement auditors on cybersecurity risk

As more and more companies suffer data breaches, scrutiny and legislative obligations increase for management and board members in their oversight roles regarding cybersecurity risk management. On April 12, 2018, the Center for Audit Quality (CAQ) released the publication, “Cybersecurity Risk Management Oversight: A Tool for Board Members,” to help guide board members in discussions of cybersecurity risks and to ensure organizations establish and maintain sound processes and controls for identifying and responding to breaches.

The CAQ identifies four main areas where boards can engage in cybersecurity discussions with management and their auditors. CAQ helps those charged with oversight to ask the right questions to gain a clearer understanding of:

  1. How the financial statement auditor views cybersecurity. The Sarbanes-Oxley Act of 2002 (SOX) requires management and, for large public companies, the financial statement auditors to assess the effectiveness of internal controls over financial reporting. CAQ questions help boards to gain a picture of how the financial statement auditor looks at cybersecurity and the auditor’s roles and responsibilities relative to cybersecurity risks.
  2. Management’s and the auditor’s role in cybersecurity disclosures. The Securities and Exchange Commission (SEC) Division of Corporation Finance issued cybersecurity risk disclosure guidance in 2011 and expanded that guidance in 2018 to include the importance of addressing cybersecurity policies and procedures as well as cybersecurity implications relative to insider trading risk. The update reinforced the need for transparency that companies are required to maintain and evaluate the effectiveness of disclosure controls and procedures. In the event of a cybersecurity incident, board members need to be aware of the company‘s obligations and the role of the financial statement auditor. Gaining a deeper understanding of the obligations of both parties will support transparency in financial reporting.
  3. Management’s approach to addressing cybersecurity risk. The SEC‘s update from earlier this year emphasized the board‘s role in oversight of cybersecurity risk management. This section focuses on the importance of an organization‘s having processes and programs in place to evaluate the effectiveness of its cybersecurity risk management program and to address the impact of a cybersecurity breach.
  4. How CPA firms can assist boards with cybersecurity oversight. The increase of cybersecurity awareness has uncovered deficiencies in internal capabilities. Cybersecurity Ventures predicted that there will be 3.5 million unfilled cybersecurity positions by 2021. Boards of directors and management should be aware of the extent of their internal capabilities for addressing cybersecurity and, in turn, be able to identify where they can leverage a CPA firm to provide guidance in cybersecurity.

Boards and management oversight: Assess your company’s current cybersecurity posture

Boards of directors and management should consider the need to assess their cybersecurity-related policies and procedures. All companies should carefully consider taking actions to address each of the four main areas above. Board members’ and management‘s cognizance of the organization’s cybersecurity controls is crucial in protecting business interests from current and future threats.

This guidance should be used to prompt and steer dialogue for boards of directors and management to better understand, assess and identify their disclosure obligations related to cybersecurity incidents. The guidance can help all companies identify cybersecurity needs and deficiencies they need to address.

For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.