Auditors outline their views on cybersecurity ahead of SEC panel

With the Securities and Exchange Commission set to host a roundtable discussion Wednesday focused on the the topic of cybersecurity, a group representing external auditing firms has issued guidance on related issues that its 600 members should consider during an engagement.

“Cybersecurity is one of the most complex and evolving issues facing public companies,” Cindy Fornelli, the Center for Audit Quality’s executive director executive director said in a press release. “All players in the financial reporting supply chain, including of course independent auditors, have an important role to play.”

In the body of the member alert, Fornelli’s group established some boundaries for members.

“The financial statement and ICFR [internal control over financial reporting] audit responsibilities do not encompass an evaluation of cybersecurity risks across a company’s entire IT platform,” the alert stipulates.

Rather, the alert notes, external auditors would be expected to assess the risk of material misstatement of financials if a hacker gains access to a client’s IT system, or, if damage has already been done, to evaluate the quality and thoroughness of the company’s financial disclosure in connection with the losses.

In short, external auditors must be on guard when it comes to how IT, and cybersecurity, can affect financial statements.

“Auditing standards require the auditor to obtain an understanding of how the company uses IT and the impact of IT on the financial statements,” the alert states.

On Monday, the SEC released the agenda for Wednesday’s event, which will include a discussion of public company disclosure by a panel that will feature, among others, representatives from insurer and consultant Marsh & McLennan, PricewaterhouseCoopers and Ropes & Gray