U.S. Treasury joins push for auditors to check cybersecurity

They’re the new cybercops, pounding the data security beat and swinging their digital nightsticks. Meet … the certified public accountants.

A senior Treasury official Wednesday backed a proposal to establish a reporting framework for CPAs to assess the cybersecurity of companies they audit.

“Imagine a world,” urged Sarah Bloom Raskin in a speech to the Public Company Accounting Oversight Board International Institute on Audit Regulation, “in which all types of entities could convey the effectiveness of their cybersecurity risk management in a standardized, non-technical way. … Think about the power of such assurance. Boards, shareholders, customers, counter-parties, and regulators could gauge the relative effectiveness of organizations’ cybersecurity and resiliency.”

Currently, the regular audits that publicly traded companies have to undergo — since the passage of the Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act in 2002 following the Enron scandal — include a very limited cybersecurity element. Because auditors have to attest to the accuracy of the company’s financial statements, they are required to check the cybersecurity of the financial reporting systems that provide that data.

The Sarbanes-Oxley standard “is appropriate to address financial reporting risk but it does not address a company’s overall business or operating risk,” Raskin said.

Generally, unless retained to carry out a special cybersecurity assessment, an auditor “does not more broadly evaluate a company’s overall cybersecurity risk management program,” she added.

But now there’s a move afoot to change that. Over the summer, the American Institute of Certified Public Accountants, or AICPA, proposed a draft framework for what they call “cybersecurity attestation engagements.”

The proposal is for a standardized protocol that CPAs could follow in order to produce a non-technical report on a company’s cybersecurity that would be comparable with other reports about other companies.

It’s been backed by some industry groups, including the Internet Security Alliance, which says it will help scale cybersecurity risk management practices across the entire economy.

Boardrooms, said ISA President Larry Clinton last week, “are more afraid of the auditor than they are of the [cyber]attacker.”

“We enthusiastically support the AICPA effort,” he told CyberScoop this week, adding that it was important, especially for regulators, to understand that cybersecurity attestation was different from an audit.

“An audit is a pass-fail proposition, you are either in compliance or not. Cyber security is by no means a binary proposition — you are not secure or insecure. Security is more a continuum,” Clinton said, “These are assessments and not audits, and cannot provide the same degree of certainty that a financial audit does.”

He added that, “The assessors need to be properly trained. A CPA may be very good at financial accounting, but that doesn’t mean they can appreciate the subtleties of the evolving cyber threat.”

“A poorly done assessment could not only be wasteful but increase risk,” he concluded.

According to Raskin, the attestation process would have three parts:

• Management provides a description of the company’s cybersecurity risk management program and lists the ways in which it identifies, monitors, and reduces cyber risks.
• Management attests “whether the controls implemented are suitably designed and operate effectively.”
• The auditor opines “on the accuracy and completeness of management’s description as well as whether the cybersecurity controls are suitably designed and operate effectively in achieving the company’s cybersecurity objectives.”

“Think about the power of such assurance,” she added, “If done right — with independence, objectivity, appropriate expertise and professional skepticism — such an assurance process would be a vehicle by which greater cybersecurity and resilience could be achieved” across the economy.