An Auditor’s Responsibility for Cybersecurity Risks

Cybersecurity has rapidly become a significant risk to businesses as breaches of information may result in financial and reputational damage, diminished investor confidence, and exposure to potential regulatory fines. Cybersecurity risks and controls are within the scope of the financial statement auditor’s concern only to the extent they could materially impact the preparation and fair presentation of financial statements, including disclosures.

An audit does not encompass an evaluation of cybersecurity risks across a company’s entire information technology (IT) platform. However, financial statement auditors are required to obtain an understanding of the extent of the company’s automated controls as they relate to financial reporting, including the IT general controls that are important to the effective operation of automated controls, and the reliability of data and reports used in the audit that were produced by the company. These aspects of internal control would also be within the scope of any audit of internal controls over financial reporting.

The auditor would also be responsible for evaluating the risk of material misstatement to a company’s financial statements resulting from unauthorized access to financial reporting-related IT systems and data. This includes evaluating a company’s accounting for cybersecurity-related losses and the resulting impact on financial statements and disclosures, including items such as contingent litigation, claims, or assessments.

If cybersecurity risk disclosure is in the financial statements, the auditor should perform procedures to assess whether the financial statements taken as a whole are presented fairly in all material respects, including disclosures.

For a publicly-traded company, cybersecurity risks may be disclosed in the Form 10-K (e.g., risk factors, management’s discussion and analysis, legal proceedings, and/or business description). The auditor is required to read this information and consider whether it, or the manner of its presentation, is materially inconsistent with information appearing in the financial statements.

Learn more about cybersecurity as it relates to financial auditing in our CPE On-Demand course AICPA Cybersecurity Standards, taught by Tim Gearty.