Critical Audit Matters Disclosure Implicates Information Technology and Security

Katherine Doty Hanniford
Alston & Bird
Contact
LinkedIn
Facebook
X
Send
Embed

As independent auditors to public companies and business development companies begin to make required disclosure of Critical Audit Matters (CAMs) to the audit committee, such reports are beginning to include discussion of information security programs and information technology controls. Independent auditors have treated material weaknesses in certain information technology controls as material weaknesses in internal controls over financial reporting due to the potential to impact financial reporting.

Although the PCAOB previously issued guidance that cybersecurity incidents which impact financial statements—including key estimates, valuations or accounting for transactions—could become the subject of communications between the auditor and the audit committee, its guidance noted the necessarily fact-specific nature of the analysis and did not specifically address information technology controls or information security other than in the context of a cybersecurity incident. Because CAMs are broadly defined as either qualitatively or quantitatively material to a public company’s financial statements, and/or involving “especially challenging, subjective, or complex judgments,” independent auditors may have wide latitude to assess information technology controls and information security as they impact financial reporting.

To date, recent disclosures in Forms 10-K by certain public companies of CAMs relating to information technology controls include:

  • Insufficient ability to assess controls over third-party information technology providers;
  • Ineffective user access controls regarding information technology personnel’s access to the financial control system; and
  • Ineffective change management controls over information technology systems that support financial reporting.

These CAMs suggest that independent auditors are focused information security programs and information technology controls that relate in some way to financial reporting or third-party service providers that support financial reporting. Given the prevalence of electronic systems involved in financial reporting, the aspects of information technology controls and information security programs potentially in scope is noteworthy.

The PCAOB’s implementation of Critical Audit Matters continues through December 2020. Entities not yet subject to its requirements may wish to revisit the impact that their information technology controls and information security program have on their financial reporting framework.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Alston & Bird | Attorney Advertising

Written by:

Alston & Bird
Alston & Bird
Contact
more
less

Alston & Bird on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide