Asking the Right Questions: Key Takeaways From the CAQ’s ‘Cybersecurity Risk Management Oversight’ Guidance

In April 2018, the Center for Audit Quality (CAQ) released a document to help board directors fulfill their fiduciary duties regarding the oversight of cyber risks. Titled “Cybersecurity Risk Management Oversight: A Tool for Board Members,” this short, 10-page document consists of questions for boards members to ask top management and financial auditors to improve cyber risk management and increase overall engagement among business leaders.

Four Key Takeaways From the CAQ Guidance

The questions are organized into four main areas, including how auditors may or may not be considering cyber risks in their scope of work, the roles of management and auditors regarding cybersecurity disclosures, how business leaders approach their risk management responsibilities, and how CPA firms can help boards improve oversight of cyber risks. Let’s take a look at these four categories in more detail.

1. How Financial Statement Auditors Evaluate Cyber Risk

The first section of the CAQ guidance urges board directors to understand how financial auditors consider cyber risks. It asks directors to pay attention to the extent that the audit process itself addresses risk and whether the auditors’ procedures are sufficient to assess the effectiveness of security controls.

2. The Roles of Management and Auditors in Cybersecurity Disclosures

The next element concerns the organization’s responsibilities and handling of cybersecurity disclosures, and directly addresses the U.S. Securities and Exchange Commission (SEC)’s updated guidance on that topic. It advises organizations to implement appropriate policies and procedures to ensure accurate and timely disclosure of material cyber events, address and prevent insider trading before the news of a breach reaches the public, and involve representatives from top management and the board in the disclosure process.

3. Business Leaders’ Approach to Cybersecurity Risk Management

The CAQ document also stresses the importance of selecting the right cybersecurity framework and considering the best way to communicate information about the cyber risk program to other stakeholders within the organization. It also asks board directors to consider whether management has processes in place to evaluate the effectiveness of the risk management program and implies that controls should be regularly evaluated.

In addition, the guidance urges board members to determine whether the organization’s leadership has purchased sufficient cyber insurance, addressed third-party risks and developed mechanisms to cope with potential breaches involving outside vendors.

Finally, the third section of the document advises board directors to determine whether the organization has conducted a data breach simulation to gauge top leadership’s ability to respond to an incident, in terms of both the immediate post-breach response and the public disclosure.

4. How CPA Firms Can Help With Cyber Risks

The final section of the guidance explains that boards should explore opportunities to recruit additional help, whether from the organization’s current auditing partner or another firm, to navigate through the many challenges associated with cybersecurity. According to the document, an audit “cannot prevent or detect a cybersecurity threat or breach,” thus directors should ask, “What is the goal of the cybersecurity examination?” They should also determine what other types of engagements are feasible to help improve the organization’s handling of cyber risks.

Dovetailing With NACD and AICPA

The CAQ document also makes brief but significant references to the work of two other important entities. First it cites the American Institute of CPAs (AICPA)’s work to keep the auditing profession relevant, including the recent release of its cybersecurity risk management reporting framework. It then references the National Association of Corporate Directors (NACD)’s effort to improve board directors’ awareness and engagement around cyber risks. Of the 10 pages in the CAQ document, three are comprised of lists of questions extracted from the NACD’s “Director’s Handbook on Cyber-Risk Oversight,” which was published last year.

The Conspicuous Absence of Cyber Resilience

The CAQ oversight guidance is one of the most condensed publications I’ve seen to date that provides useful and actionable information to board directors about cyber risks. However, I can’t help but wonder why it failed to address cyber resilience altogether. This topic has gained a lot of attention in light of recent ransomware disruptions.

While it’s easy to assume that cyber resilience is included under the broader umbrella of cyber risk management, it’s time for top management and board directors to engage in efforts to improve the organization’s ability to respond to and recover from cyber incidents. That means putting the company’s capabilities to the test, either through penetration testing exercises or via crisis simulations.

Board directors should also pay close attention to whether the organization’s processes are maturing and improving. The CAQ document notes that business leaders might be able to leverage a CPA firm to help assess the organization’s cybersecurity maturity level.

Even with these minor shortcomings, the CAQ’s “Cybersecurity Risk Management Oversight” tool is a condensed, powerful set of guiding questions that should be on the desktop of every board director, CEO and CISO.

Contributor'photo

Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato...