Mark Cornish CA: The evolving relationship between cybersecurity and accounting
Cybersecurity is a hot topic for any organization looking to manage risks, even if that’s just reputational, and lately, no company is safe from attacks. ICAS spoke with Mark Cornish CA, Risk Assurance Partner and US Cybersecurity Attestation Leader at PwC to gain insight on how cybersecurity threats and incidents are increasing the need for reporting to build trust and transparency.
How has cybersecurity risk changed reporting?
It’s not if, but when, a cyber-attack happens.
The drive and discussions are coming from the boards and C-Suite. New questions are asked every time something is in the newspapers, and you’re seeing more pressure because leadership has to perform their fiduciary duty in a constantly changing and challenging area.
Many boards continue to enhance their governance and oversight, while there are increasing external pressures from critical stakeholders, such as business partners, supply chain, investors, and customers. You’re starting to see a focus on this topic because of the associated risks and the potential significant impact should an incident arise.
In the US, the AICPA has developed a reporting framework that aims to build trust and transparency so that a Certified Public Accountant (CPA) can issue an opinion-based report under the AICPA’s Attestation Standards.
The attestation report must meet certain criteria (description and controls criteria), and the CPA needs to gain an understanding and perform testing focused on an organization’s cybersecurity risk management program, their cybersecurity controls framework, and the underlying controls.
Building trust and transparency around a cybersecurity risk management program should be a priority for the majority.
Historically, Chief Information Security Officers may have performed relatively limited reporting on an annual basis. Now you’re starting to see boards ask more questions however, in order to build their confidence in the organization’s existing programs and to exercise their fiduciary responsibilities.
The CPA’s attest opinion, under the AICPA’s cybersecurity reporting framework, is intended to be a general use report that can be provided to management, business partners, customers, investors or regulators. Within the report, management is required to make an assertion regarding the description of their program and that a framework and controls are in place and operating effectively to achieve the organization’s cybersecurity objectives.
Building trust and transparency around a cybersecurity risk management program should be a priority for the majority, if not all, organizations.
The intent of attestation reporting is to provide sufficient information to provide comfort that the organization has a comprehensive and effective cybersecurity risk management program in place. It does not however opine on the future operation of controls, or compliance with laws and regulations, for example.
Today, building trust and transparency around a cybersecurity risk management program should be a priority for the majority, if not all, organizations and the AICPA’s framework is an important development here in the US.
How do we see cybersecurity impacting audit?
It is a reasonable prediction that you’re going to see more overlap between cybersecurity and financial audit work as organizations become more digitized, whether that’s due to blockchain, the “Internet of Things” or the cloud, for example.
The importance of technology will likely increase in the future; the volume of attacks and breaches will also likely grow; and as a consequence, so will the need for greater coverage over certain cybersecurity controls, where deemed relevant to internal control over financial reporting.
The Center for Audit Quality recently released a paper on the CPAs Role in Addressing Cybersecurity Risk, which is also relevant for CAs around the world.
As a result, the role of an auditor and accountant will likely change. The profession can’t stand still and continue to act like we’ve always done. To remain relevant, we all need to build our digital IQ, including the area of cybersecurity, and consider its impact on the work we perform.
For example, in the US, the Center for Audit Quality recently released a paper on the CPAs Role in Addressing Cybersecurity Risk, which is also relevant for CAs around the world.
Is there much regulation around cybersecurity in the US?
A recent example is the New York State Department of Financial Services (NYDFS) came out with specifics around certain aspects of cybersecurity. You’re likely to see more detailed regulations and guidance in this space: it’s high on every regulator’s agenda here in the US and globally.
There isn’t likely to be any deregulation and there is widespread recognition that cybersecurity is a top risk to all companies regardless of the industry. We’ve definitely seen a significant shift in awareness with regulators here in the US and NYDFS is one of those examples.
When regulators perform inspections, they are generally taking steps to understand the cyber risk management programs and controls of the organizations under their purview.
What is your focus when working with an organization?
Reporting is at the top of the agenda at the moment, for various reasons. Boards need to effectively perform their fiduciary responsibilities, for one. There’s also increasing demands from different stakeholders, whether that’s customers and business partners with their own risk management initiatives or investors looking for insight into the company’s risk management.
The continued outsourcing of IT through cloud service providers and security operations have led to greater complexity when it comes to risk management in general. On top of that, the changing regulatory environment is likely to become increasingly complex with regards to regulations for cybersecurity practices and the focus on Regulatory examinations.
No system is fool proof; however, organizations should be taking reasonable steps to establish a comprehensive program.
You have organizations that have established a cyber risk management program, however control evolution may not consistently be where it should be. Return on investment is also a constant challenge as it relates to cybersecurity – unfortunately, you can spend significant money on cybersecurity and still be attacked and have a breach. No system is fool proof; however, organizations should be taking reasonable steps to establish a comprehensive program.
Figuring out the balance and how far you have to go, whether that’s through resources and how you hire, can be a struggle. Some organizations are very sophisticated, and others have limited resources.
Cybercriminals will likely go after the bigger names and there are natural targets, but that’s not to say smaller companies won’t have issues – every organization has to manage the risks relating to a cyber attack or breach.
What type of skillset do accountants need in the future for this type of work?
To complete these reports and the initial assessment phases, we need the right balance of technical specialists: people with cybersecurity skillsets and control skillsets. At a minimum, everyone needs a solid understanding of cybersecurity and the associated risks.
About the author
Andrea Murad is a New York–based writer. Having worked on both Wall Street and Main Street, she now pursues her passion for words. She covers business and finance, and her work can be found on BBC Capital, Consumers Digest, Entrepreneur.com, FOXBusiness.com, Global Finance and InstitutionalInvestor.com.