Business Solutions Center

Home ... accounting Resources accounting: Industry News Cybersecurity Provides Opportunities for Auditors to Serve

Cybersecurity Provides Opportunities for Auditors to Serve

Industry News Cybersecurity Provides Opportunities for Auditors to Serve

By Ken Tysiac

Cybersecurity challenges require a response from every sector of the economy. Public company auditors can do their part by providing services to clients beyond the financial statements, according to a Center for Audit Quality (CAQ) report published Tuesday.

Auditing standards require financial statement auditors to obtain an understanding of how the company uses IT and the impact of IT on the financial statements. This includes an understanding of the extent of the company’s automated controls as they relate to financial reporting, the IT general controls that are important to the effective operation of automated controls, and the reliability of data and reports produced by the company and used in the financial reporting process.

But IT generally has an impact on clients that extends far beyond their financial statements. A company’s overall IT platform includes systems and related data that address not only financial reporting processes but also the operational and compliance needs of the entire organization.

Practitioners also can provide advisory or attestation services on company-prepared cybersecurity information, as many times public companies provide voluntary disclosures about their cybersecurity risk management.

Opportunities for auditors include:

  • Assessment engagements. Auditors can provide services to help companies identify key areas of cybersecurity risk, discover gaps in processes and controls, and develop effective controls.
  • Attestation engagements. Practitioners can perform an examination engagement in accordance with the AICPA’s attestation standards to provide an independent report on whether management’s description of the cybersecurity risk management program meets the specifications of the company’s reporting framework. The criteria in the AICPA’s SOC for Cybersecurity framework can be used to underpin such an engagement.

The report from the CAQ, which is affiliated with the AICPA, also contains considerations for boards of directors related to cybersecurity.

“As the scale and complexity of cybersecurity challenges has grown exponentially in recent years, investors and other stakeholders may find information beyond the disclosures required by the Securities and Exchange Commission helpful for decision-making,” CAQ Executive Director Julie Bell Lindsay said in a news release. “In their public interest role, auditors could bring additional discipline to voluntary cybersecurity disclosures and company cybersecurity risk management programs, enhancing stakeholders’ trust and confidence in such information.”

— Ken Tysiac ( is the JofA’s editorial director.

Source: Journal of Accountancy, October 27, 2020 (

The information included on this website is designed for informational purposes only. It is not legal, tax, financial, or any other sort of advice; nor is it a substitute for such advice. The information on this site may not apply to your specific situation. We have tried to make sure the information is accurate, but it could be outdated or even inaccurate, in parts. It is the reader's responsibility to comply with any applicable local, state, or federal regulations, and to make their own decisions about how to operate their business. Nationwide Mutual Insurance Company, its affiliates, and their employees make no warranties about the information, no guarantee of results, and assume no liability in connection with the information provided.