PCAOB Focuses on Cybersecurity at Standing Advisory Group Meeting

Morgan Lewis

Panelists at the PCAOB’s June 25 Standing Advisory Group Meeting discussed cybersecurity and the potential implications for financial reporting and auditing. Some of the highlights from the panel include the following:

  • Companies need internal controls to prevent and detect cyber attacks generally, including controls to prevent and, more importantly, detect a cyber attack on a company’s information technology (IT) accounting system.
  • Companies should continually assess the controls related to their IT accounting system to ensure that the controls are up to date.
  • A cyber attack of a company’s IT accounting system could involve, or could suggest the risk of, manipulation by the cyber attacker of the company’s books and records, which could affect financial statements.
  • Even if a review of the cyber attack shows that someone can read only the electronic financial information, such access may be covered by a company’s internal control over financial reporting.
  • A cyber attack may have an indirect effect on financial statements by requiring the future recognition of asset impairments and loss contingencies and may require a company to reconsider projections.
  • According to one panelist, companies are not doing a good job when it comes to establishing controls that enable them to detect cyber attacks. Specifically, the panelist estimated that, in 75% of the 3,000 cyber attacks that the government reported to companies, the companies had not detected the cyber attack. The panelist did not say whether the inability to detect the cyber attack suggested that the companies’ detection controls were not adequate or that detection controls could not be updated sufficiently to anticipate new cyber attack methods.
  • If a company’s financial position is not sound, a cyber attack might require an assessment as to whether the company continues to be a going concern.
  • One panelist asserted that the notion that cybersecurity is first an issue for auditors and the audit committee is misguided because cybersecurity is the responsibility of the entire board.
  • A deputy chief accountant of the SEC noted that, from a management perspective, cybersecurity is an issue that transcends internal control over financial reporting and reliable financial reporting because there are also business and operational risks, risk factor disclosure and internal accounting controls extending beyond internal control over financial reporting, which management must keep at the forefront of its mind.1

1In this regard, the SEC’s Office of Compliance Inspections and Examinations attached to a risk alert in April 2014 a document request that it uses in connection with its assessment of cybersecurity preparedness in the securities industry. This list may be helpful to all companies in identifying controls, standards, and policies that could be used to address cyber threats. In addition, the Financial Industry Regulatory Authority (FINRA) indicated in its 2014 Regulatory and Examination Priorities Letter that cybersecurity remains a priority for FINRA, with its primary focus being “on the integrity of firms’ policies, procedures and controls to protect sensitive customer data. FINRA’s evaluation of such controls may take the form of examinations and targeted investigations.”


Written by:

Morgan Lewis

Morgan Lewis on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide