Emerging technologies present real risks through coding errors, unintended or algorithmic bias and unauthorized access to information systems and data, Public Company Accounting Oversight Board Member Kathleen M. Hamm told Baruch College’s Financial Reporting Conference in May. The PCAOB has prioritized on its research agenda “quality control” and “data and technology,” Ms. Hamm reported. She outlined the two “limited, but important” roles that the auditor has related to cybersecurity threats facing the financial reporting system.

“For cybersecurity-related incidents reflected in the financial statements themselves, the auditor evaluates whether those statements taken as a whole are fairly presented in accordance with generally accepted accounting principles, in all material respects,” Ms. Hamm stated. “The auditor plays an even more limited role when cyber-related information is not contained in the financial statements themselves but elsewhere in a company’s annual report….the auditor need only read and consider whether the cyber-related information in that report, or its presentation, is a material misstatement of fact or materially inconsistent with the information in the financial statements.”

However, Ms. Hamm believes “auditors should consider cybersecurity as part of their audit risk assessments,” unless the organization runs entirely manually, without using technology or the internet. She thought that exception might only describe ecclesiastic groups hand copying holy texts on mountain tops. “If the auditor identifies a risk related to cybersecurity that could have a material effect on a company’s financial statements, the auditor should then design and execute procedures to address those risks. For an integrated audit, this work would include testing relevant controls.”

She encouraged auditors to “think broadly” when performing risk assessments, as companies are increasingly becoming linked with their vendors, customers and employees, and “the potential entry points and attack surfaces multiply,” with the the weakest link to entry becoming a target. As a recent study found the average time to identify a breach is 196 days, Ms. Hamm advised auditors: “Even if a specific cybersecurity incident has not been identified, it is important for an auditor to remain professionally skeptical throughout the audit.”

Even if a cyber-incident does not appear to be material to the financial statements but the auditor becomes aware of a possible illegal act related to the incident, Ms. Hamm advises “the auditors would need to assure themselves that the company’s audit committee was adequately informed as soon as practical. Such an instance could occur if management, notwithstanding a legal requirement, failed to timely disclose a breach of customers’ personally identifiable information.” She observed: “The government, private institutions, and individuals each share responsibility for protecting our individual and collective assets and each other from cyber threats.”

Licensees’ responsibilities for cybersecurity will be addressed at NASBA’s 2019 Regional Meetings.

Related News

Full Issue