Reading time: 2 minutes
U.S. organizations who were victims of a data breach in 2018 lost an average of $7.91 million due to the breach. The cost of these breaches is the highest of all regions and countries covered in the IBM and independent research firm the Ponemon Institute’s 2018 Cost of a Data Breach Study.
Over half of data breaches are due to criminal attacks and not system glitches or human error. This knowledge has led auditors to take a careful look at the risks associated with company cybersecurity. This audit season especially, be prepared to answer questions about the effectiveness of your company’s internal controls against cyberthreats.
According to the Public Company Accounting Oversight Board (PCAOB), auditors today are increasingly concerned with matters related to cybersecurity. They have gathered this data by interviewing auditors of companies that have had a breach into their computer systems about the way that their firm responded to the incidents.
When it comes to assessing the risk of a data breach or when uncovering an incident that occurred during the audit fieldwork or the period under audit, auditing firms have varied in the level of guidance they provide.
William Powers, deputy director for technology in the PCAOB’s Division of Registration and Inspections, states, “Many of the firms are actually factoring cybersecurity issues into their risk assessment at this point in time, and there is a real focus on developing real understanding about cybersecurity incidents.”
Auditors examining cybersecurity are likely to ask questions about your company’s policies. Some items they may ask include:
- How does management identify and prioritize cyberrisks?
- What kind of internal controls are in place to protect digital assets and sensitive data?
- What types of training, policies, and security analytics are in place?
- How much does management monitor the internal controls to ensure they are operated effectively?
- Does management have a detailed breach response plan?
- If a breach did occur during the accounting period, how was it handled? What was management’s response, and how much did the breach cost the company?
- Does the company have cyber liability and breach response insurance?
Cybersecurity and financial reporting
The PCAOB is yet to find any material misstatements on a public company’s financial statements as a result of a cybersecurity breach, but the risk still exists. The PCAOB is, therefore, planning to expand its inspection program to examine what auditors are doing to protect client and stakeholder data.
Public and private risk
PCAOB inspectors target the audits of public companies, but private companies are at risk for cyberattacks as well. Companies with fewer resources can be devastated by a cyberattack, because they may not have the ability to absorb losses or the staff to respond adequately to breaches.
The frequency and severity of cyberattacks is increasing, and auditors need to take strides to match those threats with protective procedures. It is our job to analyze your company’s internal controls and cyberrisks. Once we have examined your company’s practices, we can then move to set up more effective management strategies.
Contact us at 818-334-8623 or click here, and we will contact you.