Skip to main content

Accounting

Report Shows How Auditors Can Enhance Trust in Company-Prepared Cybersecurity Disclosures

The Center for Audit Quality (CAQ) has released a new report revealing how the auditor’s role can evolve beyond public company financial statements to enhance the reliability of company-prepared cybersecurity disclosures.

cyber security data_10816596

The Center for Audit Quality (CAQ) has released a new report revealing how the auditor’s role can evolve beyond public company financial statements to enhance the reliability of company-prepared cybersecurity disclosures. Auditor involvement can better meet the changing needs of investors, senior management, boards of directors, and other stakeholders, especially in a heightened risk-environment caused by COVID-19.

The report, The Role of Auditors in Company-Prepared Cybersecurity Information: Present and Future, provides an overview of the types of company-prepared information stakeholders and companies are using to disclose cybersecurity risks, the current role auditors play in assessing those risks, and how that role could evolve by providing advisory or attestation services on company-prepared cybersecurity information.

Cybersecurity can have pervasive impacts on companies. With technology advancing and the COVID-19 pandemic causing increased remote working arrangements, companies are facing new and evolving cybersecurity threats. In response to this, regulators, investors, and other stakeholders are increasingly interested in understanding more about the impact of cybersecurity risks. A World Economic Forum survey ranked information infrastructure breakdown as the sixth most impactful risk facing companies in the next decade.

“As the scale and complexity of cybersecurity challenges has grown exponentially in recent years, investors and other stakeholders may find information beyond the disclosures required by the Securities and Exchange Commission helpful for decision making,” said Julie Bell Lindsay, CAQ Executive Director. “In their public interest role, auditors could bring additional discipline to voluntary cybersecurity disclosures and company cybersecurity risk management programs, enhancing stakeholders’ trust and confidence in such information.”

While most companies disclose some cybersecurity information in SEC filings, such disclosures are often limited to more general information about cybersecurity risks and company programs to address them. A series of interviews conducted by the Swiss Re Institute found that North American and European boards and executives believe shareholders currently do not have enough transparency about a company’s cyber resilience to make informed investment decisions. 

The CAQ’s report also offers key questions board members can consider as they discuss company-prepared cybersecurity information with management and public company auditors. Such a dialogue can not only enhance board members’ understanding of how the company is managing its cybersecurity risks, but also help clarify the auditor’s responsibility for cybersecurity risk considerations and the additional services accounting firms may be able to provide for the company’s risk management program and related disclosures