CAQ Tool Helps Boards Oversee Cybersecurity Risk Management of Public Companies

As regulators and investors scrutinize cybersecurity vulnerabilities and related disclosures by public companies, the Center for Audit Quality (CAQ) released a tool to assist board members in their oversight of enterprise-wide cybersecurity risk management.

“Boards of directors face an enormous challenge in overseeing how their companies manage cybersecurity risk,” said CAQ Executive Director Cindy Fornelli. “Our tool can help foster dialogue that is crucial to addressing cybersecurity challenges and to establishing a clear understanding of cybersecurity roles and responsibilities.”

This tool, Cybersecurity Risk Management Oversight: A Tool for Board Members, provides questions board members can use as they discuss cybersecurity risks and disclosures with management and CPA firms. The questions are grouped under four key areas:

I. Understanding how the financial statement auditor considers cybersecurity risk

II. Understanding the role of management and responsibilities of the financial statement auditor related to cybersecurity disclosures

III. Understanding management’s approach to cybersecurity risk management

IV. Understanding how CPA firms can assist boards of directors in their oversight of cybersecurity risk management

In addition to its questions, the tool compiles cybersecurity-related resources from the CAQ, the American Institute of CPAs, the National Association of Corporate Directors, and others.

“As boards tackle this oversight challenge, they have a valuable resource in CPAs and in the public company auditing profession,” Fornelli said. “CPAs bring deep expertise in providing independent assurance services and have assisted companies with information security for decades.”

For more on the public company auditing profession’s cybersecurity efforts, consult the CAQ’s cybersecurity resource page, as well as its 2017 whitepaper, The CPA’s Role in Addressing Cybersecurity Risk.