Is Your Organization Secure? How Auditors Assess Cyber Risks
Data security is a critical part of the audit risk assessment of an organization. If your financial statements are audited, your audit team will tailor their procedures to answer critical questions about cyber risks and the effectiveness of your internal controls. While conducting fieldwork, they’ll assess how your practices measure up and whether your company has weaknesses that may require additional inquiry, testing and disclosure.
Is cybersecurity a priority?
Most companies today view cybersecurity as a business problem, not just as an IT issue. During the audit process, it’s important to identify your company’s most valuable data assets, and then consider how your management team assesses, manages, and responds to cyber risks and cybersecurity incidents.
People are often the weakest link in cybersecurity. Auditors will evaluate your company’s training, awareness, and accountability policies to safeguard sensitive data. Those policies may need to be regularly updated as hackers get more sophisticated and find new ways of breaking into systems, and your business environment changes.
Most recently, remote working arrangements during the COVID-19 pandemic have resulted in new risks as employees access data from less secure home networks. Companies may need to modify their practices to maintain effective data security.
Auditors may also consider the tone at the top of your organization. Cybersecurity should be integrated into an organization’s values and goals. Responsibility shouldn’t fall solely in the hands of your company’s IT department. If your company can’t keep its intellectual property and customers safe, its ability to operate will ultimately be diminished over the long run.
What’s important to investors and lenders?
To date, the Public Company Accounting Oversight Board (PCAOB) hasn’t found any material misstatements on a public company’s financial statements because of a cybersecurity breach. Stakeholders generally have confidence in the ability of auditors to evaluate and identify cyber risks.
However, audit committees and other external stakeholders recognize that there’s a risk that future cyberattacks may affect financial reporting. They expect auditors to actively communicate about cybersecurity measures and the costs associated with breaches. The full cost of a data breach, including response and reputational damage, may not always be apparent. Financial statement disclosures should be as accurate, timely and comprehensive as possible.
An agile approach
Unlike many traditional audit risks, which tend to be fairly constant and predictable over time, cyber risks are constantly evolving.
We have experience evaluating and disclosing data security practices. Buchbinder Information Technology Solutions is designed to help clients assess inherent and residual cybersecurity risks to their organizations. Contact us today to discuss your specific situation.
Join Our Newsletter
Sign up to receive exclusive newsletters with the latest information affecting you and your organization.
SHARE THIS POST