May 24, 2017

​CPAs Can Play Key Role in Addressing Cybersecurity Risk, Says CAQ Paper

Washington, DC – The auditing profession can help companies and capital markets address growing challenges of cybersecurity, according to a new white paper from the Center for Audit Quality (CAQ). The paper, The CPA's Role in Addressing Cybersecurity Risk, highlights the strengths of audit firms—including core CPA values of independence, objectivity and skepticism; experience in providing independent evaluations; and multidisciplinary expertise—that audit firms can bring to bear for the benefit of senior management, boards of directors and other key capital markets stakeholders.

“Cybersecurity challenges are stark, and they demand that every sector of the economy play a role,” said CAQ Executive Director Cindy Fornelli. "The public company auditing profession will do its part by leveraging its traditional strengths while innovating in ways that can greatly enhance confidence in cybersecurity information and practices."

The CAQ paper explores the challenging cybersecurity landscape, one in which organizations face varying cyber-threats and impacts—all in an environment marked by rapid technological change. What’s more, various stakeholders increasingly must gather information and communicate among each other about cybersecurity.

In addressing these and other cybersecurity challenges, the CPA profession brings a long history of strong values, as well as decades of experience in auditing information technology controls and providing independent assessments in the areas of financial statements and internal control over financial reporting.

As explored in the white paper, CPAs are able to provide new business services with the development of a new cybersecurity reporting framework from the American Institute of CPAs (AICPA).  AICPA's market-driven, flexible and voluntary framework can provide the user with three key pieces of information that can greatly enhance confidence in cybersecurity information provided by management. The three components are the following:

  • Management’s Description of the entity’s cybersecurity risk management program, based on suitable criteria;
  • Management’s Assertion to the presentation of their description and that the controls management implemented are operating effectively to achieve the entity’s cybersecurity objectives; and
  • The CPA’s Opinion on management's description and the effectiveness of the controls to meet the entity’s cybersecurity objectives.

The CPA's Role in Addressing Cybersecurity Risk provides perspective on this new AICPA framework, including a set of FAQs that can help senior management, boards of directors and other key capital markets stakeholders understand the framework's scope, how it is separate and apart from the financial statement and internal control over financial reporting audits, and the extent of related communications, among other topics.

For more on the CAQ's cybersecurity efforts, visit its cybersecurity resource page.

# # #

The Center for Audit Quality (CAQ) is an autonomous public policy organization dedicated to enhancing investor confidence and public trust in the global capital markets. The CAQ fosters high quality performance by public company auditors, convenes and collaborates with other stakeholders to advance the discussion of critical issues requiring action and intervention, and advocates policies and standards that promote public company auditors’ objectivity, effectiveness, and responsiveness to dynamic market conditions. Based in Washington, DC, the CAQ is affiliated with the American Institute of CPAs. For more information, visit www.thecaq.org.