Panelists at the PCAOB’s June 25 Standing Advisory Group Meeting discussed cybersecurity and the potential implications for financial reporting and auditing. Some of the highlights from the panel include the following:
- Companies need internal controls to prevent and detect cyber attacks generally, including controls to prevent and, more importantly, detect a cyber attack on a company’s information technology (IT) accounting system.
- Companies should continually assess the controls related to their IT accounting system to ensure that the controls are up to date.
- A cyber attack of a company’s IT accounting system could involve, or could suggest the risk of, manipulation by the cyber attacker of the company’s books and records, which could affect financial statements.
- Even if a review of the cyber attack shows that someone can read only the electronic financial information, such access may be covered by a company’s internal control over financial reporting.
- A cyber attack may have an indirect effect on financial statements by requiring the future recognition of asset impairments and loss contingencies and may require a company to reconsider projections.
- According to one panelist, companies are not doing a good job when it comes to establishing controls that enable them to detect cyber attacks. Specifically, the panelist estimated that, in 75% of the 3,000 cyber attacks that the government reported to companies, the companies had not detected the cyber attack. The panelist did not say whether the inability to detect the cyber attack suggested that the companies’ detection controls were not adequate or that detection controls could not be updated sufficiently to anticipate new cyber attack methods.
- If a company’s financial position is not sound, a cyber attack might require an assessment as to whether the company continues to be a going concern.
- One panelist asserted that the notion that cybersecurity is first an issue for auditors and the audit committee is misguided because cybersecurity is the responsibility of the entire board.
- A deputy chief accountant of the SEC noted that, from a management perspective, cybersecurity is an issue that transcends internal control over financial reporting and reliable financial reporting because there are also business and operational risks, risk factor disclosure and internal accounting controls extending beyond internal control over financial reporting, which management must keep at the forefront of its mind.1