New type of engagement will allow auditors to perform “cybersecurity examinations”


By Ken Tysiac

A new type of engagement that is under development will give auditors a framework for providing organisations with an evaluation of their cybersecurity risk management.

The engagement would be called a “cybersecurity examination” and would be separate from the financial statement auditing process. A chapter in Social Contract 3.0: Implementing a Market-Based Model for Cybersecurity, which is scheduled to be released Thursday by the Internet Security Alliance and will be available for order on its website, describes a new model for auditors’ involvement in evaluating cybersecurity risks.

Authored by the Center for Audit Quality (CAQ), which is affiliated with the American Institute of CPAs, Chapter 13 of the publication describes an AICPA and CAQ initiative that would give auditors an opportunity to assess and provide assurance over internal controls related to cybersecurity risk management.

The goal is to give auditors an opportunity to help all industry sectors in this challenging area.

“Given its prominence for investors and markets, cybersecurity has been a top priority for the Center for Audit Quality,” CAQ Executive Director Cindy Fornelli said in a news release. “Auditors can expand their role in accordance with time-tested assurance frameworks, thus bringing the profession’s many strengths to bear on today’s cybersecurity challenges. Reports issued under this new approach would benefit from the consistency, rigor, independence, and objectivity of the practitioners.”

Cybersecurity is one of the most challenging areas of risk management that businesses face today. Cyber threats were ranked No. 3 on the list of top business risks by board members and executives in the Top Risks Survey for 2016 conducted by Protiviti and North Carolina State University.

The AICPA Assurance Services Executive Committee is in the final stages of developing a process for examining internal controls related specifically to cybersecurity risk management. According to the CAQ’s chapter in the publication, auditors’ reports on cybersecurity management would need to be presented in a consistent manner to provide credible information and allow comparisons to be made.

The objective of the report would be to provide the user with:

  • A description of the entity’s cybersecurity risk-management programme.
  • Management’s assertion about whether that description is fairly presented and whether the controls are suitably designed and operating effectively.
  • The practitioner’s opinion on fair presentation of the description and on the suitability of design and operating effectiveness of controls.

The examination would be voluntary for companies and audit firms, according to the CAQ, and the criteria would be a customised version of the AICPA Trust Services Criteria—enhanced for cybersecurity considerations.

In addition, the CAQ suggests that several principles around enhancements to cybersecurity should be embraced. These include avoiding “blaming the victim”, and enabling private-sector solutions to cybersecurity challenges.

Ken Tysiac (ktysiac@aicpa.org) is a CGMA Magazine editorial director.