U.S. Treasury joins push for auditors to check cybersecurity
They’re the new cybercops, pounding the data security beat and swinging their digital nightsticks. Meet … the certified public accountants.
A senior Treasury official Wednesday backed a proposal to establish a reporting framework for CPAs to assess the cybersecurity of companies they audit.
“Imagine a world,” urged Sarah Bloom Raskin in a speech to the Public Company Accounting Oversight Board International Institute on Audit Regulation, “in which all types of entities could convey the effectiveness of their cybersecurity risk management in a standardized, non-technical way. … Think about the power of such assurance. Boards, shareholders, customers, counter-parties, and regulators could gauge the relative effectiveness of organizations’ cybersecurity and resiliency.”
Currently, the regular audits that publicly traded companies have to undergo — since the passage of the Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act in 2002 following the Enron scandal — include a very limited cybersecurity element. Because auditors have to attest to the accuracy of the company’s financial statements, they are required to check the cybersecurity of the financial reporting systems that provide that data.
The Sarbanes-Oxley standard “is appropriate to address financial reporting risk but it does not address a company’s overall business or operating risk,” Raskin said.
Generally, unless retained to carry out a special cybersecurity assessment, an auditor “does not more broadly evaluate a company’s overall cybersecurity risk management program,” she added.
But now there’s a move afoot to change that. Over the summer, the American Institute of Certified Public Accountants, or AICPA, proposed a draft framework for what they call “cybersecurity attestation engagements.”
The idea would be a standardized protocol that CPAs could follow in order to produce a report on a company’s cybersecurity that would be comparable with other reports about other companies. According to Raskin, the process would have three parts:
- Management provides a description of the company’s cybersecurity risk management program and lists the ways in which it identifies, monitors, and reduces cyber risks.
- Management attests “whether the controls implemented are suitably designed and operate effectively.”
- The auditor opines “on the accuracy and completeness of management’s description as well as whether the cybersecurity controls are suitably designed and operate effectively in achieving the company’s cybersecurity objectives.”
“Think about the power of such assurance,” she added, “If done right — with independence, objectivity, appropriate expertise and professional skepticism — such an assurance process would be a vehicle by which greater cybersecurity and resilience could be achieved” across the economy.