By John Filar Atwood
Companies face hundreds, if not thousands of attempts to break into their systems on a daily basis, according to Bill Powers, deputy director for technology at the PCAOB. Cybersecurity is an important issue for the Board, and it is working with audit firms to keep track of what is being done to protect client and stakeholder data against cyber-attacks.
Powers said that cybersecurity became a focus for the PCAOB three years ago, Powers said. At that time, the Board began to interview engagement teams where there had been an incident to see how they handled it, and how the company was supporting their efforts, he noted.
Inspection observations. Powers offered a number of observations from the last three years of audit firm inspections. First, he noted that most companies recognize that cybersecurity is not just an IT issue anymore. It is a business issue, he said, and as a result the risks associated with it can be significantly larger than the issues associated with just IT.
He also observed that audit committees are interested in what auditors have to say about cybersecurity. In his experience, audit committees have been vocal about their expectations with respect to how auditors are handling cyber issues.
Powers noted that many companies have provided guidance to their engagement teams in the area of cybersecurity. The guidance often addresses how to go about assessing risk when starting an audit, and what to do when it is discovered that a cyber incident occurred during the course of an audit, or during the period under audit, he added.
Another observation that Powers made from recent inspections is that many companies are factoring cyber issues into their overall risk assessment. In his view, there is a real focus by companies on understanding how cyber incidents occurred, and what the impact was both from a financial reporting point of view and an internal controls over financial reporting standpoint.
Costs of cybersecurity. He has seen many companies wrestling with the costs associated with cyber incidents in recent years. Sometimes the costs are apparent and sometimes are more subtle, he noted. Companies and auditors are examining potential cyber costs as they work on the financial statements, he said.
The PCAOB is finding that engagement teams are retaining audit evidence regarding what companies have done to understand the cyber incidents, according to Powers. At this point in time, the Board has seen no material misstatements of financial statements because of a cyber incident, he said.
Going forward. Looking ahead, Powers said that the PCAOB is continuing to work with engagement teams to try to understand what they are doing in the area of cybersecurity. This year, the program is expanding to focus on what the firms are doing to protect client and stakeholder data that they retain, he said.
The staff is specifically reviewing cyber strategies, what governance policies are in place to oversee and manage the strategy, how companies identify and prioritize risks, and what kinds of controls they establish, according to Powers. Equally important, in his view, is an evaluation of how companies monitor their controls to ensure they are operating effectively.
The PCAOB is trying to understand how companies respond to cyber incidents and how they establish, maintain and conduct timely communications both internally and externally with regulators and outside organizations, he said. Also of interest to the Board is what companies have done, or will do, to develop and recover from cyber incidents to get back to normal operations, he noted. The Board will continue to monitor what other regulators are requiring of issuers and audit firms in this area, he concluded.