Data security is an important piece of the audit risk assessment. In the case that your financial statements are audited, your audit team will specifically investigate critical cyber risks and your internal controls’ effectiveness, and will assess your practices to identify any weaknesses that might require additional inquiry, testing and disclosure.
Making cybersecurity a priority
Cybersecurity is viewed by most companies today as more than just an information technology (IT) issue—it’s also a business problem. It’s important to identify your company’s most important data assets during the audit process, and to consider the ways your management team evaluates, manages and responds to cybersecurity risks and incidents.
Because people are often the weakest link in cybersecurity, auditors will assess your company’s awareness, training, and accountability policies to make sure sensitive data is kept safe. Policies may also need to be regularly updated as your business environment changes, and as hackers become increasingly sophisticated and find new ways of breaking into systems.
For example, companies might need to modify their practices to make sure they maintain effective data security as remote working arrangements during the COVID-19 pandemic cause more employees to access data from less-secure home networks.
It’s also important that responsibility doesn’t fall solely on your company’s IT department—Cybersecurity needs to be integrated into your organization’s values and goals. As such, auditors also make an analysis of the tone from the heads of your organization. After all, if your company’s ability to operate will be diminished in the long run if you can’t keep its intellectual property—and its customers—safe.
Importance to lenders and investors
Stakeholders tend to have confidence in the ability of auditors to identify and evaluate cyber risks, since the Public Company Accounting Oversight Board (PCAOB) has yet to find any material misstatements on a public company’s financial statements due to cybersecurity breaches.
Nevertheless, external stakeholders and audit committees do acknowledge the risk that financial reporting may be affected by future cyberattacks. As such, auditors are expected to be active in communicating about cybersecurity measures and any costs associated with breaches. Because the full cost of a data breach may not always be immediately apparent (especially when you include the company’s response and reputational damage), financial statement disclosures need to be as timely, comprehensive, and accurate as possible.
An adaptable approach
While traditional audit risks like supply chain or related party risks tend to remain fairly constant and predictable, cybersecurity risks are always evolving. We have extensive experience in evaluating and disclosing data security practices, and can help you to update your policies and procedures if they haven’t kept up with the times. Each accounting period, our audit team makes a fresh assessment of the cybersecurity risks facing your company in today’s marketplace and modifies our audit procedures accordingly.
Please do not hesitate to contact us with any questions or concerns.