April 12, 2018
The Center for Audit Quality has released a tool to help members of the boards of public companies oversee cybersecurity risk management in their organization.
The publication, Cybersecurity Risk Management Oversight: A Tool for Board Members, offers questions that board members can use as they discuss cybersecurity risks and disclosures with management and CPA firms. The questions are categorized into four main groups:
1) Understanding how the financial statement auditor considers cybersecurity risk;
2) Understanding the role of management and responsibilities of the financial statement auditor related to cybersecurity disclosures;
3) Understanding management’s approach to cybersecurity risk management; and
4) Understanding how CPA firms can assist boards of directors in their oversight of cybersecurity risk management.
Along with questions, the document includes cybersecurity-related resources from the CAQ, the American Institute of CPAs, the National Association of Corporate Directors, and other organizations.
“Boards of directors face an enormous challenge in overseeing how their companies manage cybersecurity risk,” said CAQ executive director Cindy Fornelli in a statement. “Our tool can help foster dialogue that is crucial to addressing cybersecurity challenges and to establishing a clear understanding of cybersecurity roles and responsibilities. As boards tackle this oversight challenge, they have a valuable resource in CPAs and in the public company auditing profession. CPAs bring deep expertise in providing independent assurance services and have assisted companies with information security for decades.”
The publication points out that CPA firms have played a role in assisting companies with information security for decades, and four of the leading 13 information security and cybersecurity consultants are public accounting firms. This publication isn’t intended to provide an all-inclusive list of questions or to be seen as a checklist. Instead it offers examples of the types of questions board members might ask of management and the company’s auditors.