How Accounting Auditors Promote Cybersecurity

The accounting industry grows more nuanced and complex, especially as new technological concerns emerge.  Accounting auditors play a critical role in boosting financial data security.

The link between cybersecurity and accounting has often been underestimated, yet it's becoming increasingly clear that—equipped with the right skills and resources—auditors can ensure that sensitive data is adequately protected. Lacking financial data security could have significant implications not only for cybersecurity but also from a compliance standpoint.

The enhanced role of cybersecurity in accounting represents an exciting opportunity for the auditors of tomorrow: the chance to develop a more robust technological skill set while adapting to a quickly changing accounting landscape. Below, we provide a deep dive into the role of accounting auditors in managing cybersecurity risks, plus the value of seeking certification to prepare for emerging opportunities in this evolving field.

The Accountant's Role in Cybersecurity

Accountants and accounting auditors play a multi-faceted role in promoting and facilitating more robust cybersecurity initiatives. They are primarily responsible for creating trust among stakeholders, especially as expectations around cybersecurity initiatives grow increasingly difficult to navigate.

Investors are understandably concerned about cybersecurity risks and solutions for mitigating them. As experts at the Center for Audit Quality (CAQ) point out, brand reputation and enterprise value can see a swift decline if stakeholders are not confident that enterprises are taking all actions necessary to safeguard sensitive information. Accounting auditors act as a much-needed liaison, helping stakeholders understand which risks are at play and how to manage them.

CAQ Executive Director Julie Bell Lindsay adds, “In their public interest role, auditors could bring additional discipline to voluntary cybersecurity disclosures and [a company’s] cybersecurity risk management programs, enhancing stakeholders’ trust and confidence in such information.”

Accountants Outside the Organization - External Auditors

Independent of the businesses or organizations that call for oversight, external auditors bring a valuable third-party perspective and can reveal cybersecurity threats that may otherwise prove difficult to pinpoint. For decades, the external auditor has had a vital role in testing the reliability of organizational IT systems to ensure their output is valid.

As a CAQ resource explains, external audits provide a baseline overview of how particular enterprises use information technology and how this impacts financial statements. This process also means revealing "automated controls as they relate to financial reporting" and "assessing the risks of material misstatement to the financial statements…including IT risks resulting from unauthorized access."

Accountants Inside the Organization - Internal Auditors

Auditors are often the first to realize when something is off due to their in-depth understanding of organizational processes and the specifics of IT systems.

Every internal auditor should anticipate organizational risk and develop strategies for mitigating these risks via change processes or insurance decisions. Cybersecurity teams rely on auditors' breadth of knowledge to keep them abreast of the far-reaching consequences of security initiatives (or their failure).

How Accountants Can Boost Their Cybersecurity Skills

Accountants bring many advantages to cybersecurity initiatives: an analytical mindset, attention to detail, and a thorough understanding of auditing procedures related to information technology. They can amplify these inherent benefits by strengthening their cybersecurity skills.

Improving cybersecurity skills begins with delving into the unique mindset of the modern cybersecurity professional. Accountants should understand what drives these experts and which processes or strategies they rely on. Beyond this, accounting professionals can look to trusted industry authorities for insight into today's most significant cyber risks. Some examples of cybersecurity risks include:

• Center for Audit Quality (CAQ) – The public policy organization CAQ acts as the voice of public auditors but provides helpful insight for accounting firms and all professionals. The CAQ's detailed resource on The CPA's Role in Addressing Cybersecurity Risk gives a broad overview of the current cybersecurity landscape.
• American Institute of CPAs (AICPA) – A trusted national organization representing the modern certified public accountant (CPA), the AICPA is a must for keeping a record of emerging issues in cybersecurity. The AICPA recognizes that publicly reporting a firm’s approach to cyber risk is not technically required, although it offers a valuable framework for auditors to report security breaches or add relevant details to annual reports.

In addition to consulting the resources highlighted above, make the most of these suggestions to develop solid technological skills and integrate them into your accounting career:

Best Practices for Accounting Auditors

On a personal level, all accounting professionals must enact extensive security safeguards to protect both personal and enterprise data. Best practices worth following include:

• Using password management tools and multi-factor authentication.
• Developing a redundant backup plan.
• Using anti-malware and content filtering software, especially for email.
• Encrypting data in transit, on devices, and in storage.

Continuing Education in Cybersecurity and Accounting

As cybersecurity risks evolve, so will the technologies and strategies required to combat increasingly sophisticated threat actors. The need for ongoing education will never diminish for IT professionals and accounting auditors. High-level coursework keeps skills fresh and, for some certifications, may be necessary to remain current. Attending professional conferences can also help, as these often provide cutting-edge insight into new threats and opportunities.

Benefits of a Multidisciplinary Approach

It’s true that accounting auditors require technical and analytical skills to excel in their profession. However, these skills alone are not sufficient. In today’s world, cybersecurity issues are multi-faceted and require exceptional soft skills such as creativity and problem-solving abilities. Without these, it can be challenging to convey complex concepts to stakeholders or IT team members. Strong communication skills, in particular, are essential. Cybersecurity accountants must develop these skills to stay relevant and effective.

How Auditors Identify and Assess IT Risks in Accounting Systems

The AICPA explains that "identification and assessment of risks of material misstatement are at the core of every audit, particularly obtaining an understanding of the entity’s system of internal control and assessing control risk." Increasingly, cybersecurity concerns play into efforts to verify that financial statements lack misrepresentations that could potentially mislead investors or other stakeholders.

The Public Company Accounting Oversight Board (PCAOB) member Kathleen M. Hamm believes that, for most modern organizations, cybersecurity needs to be a crucial part of audit risk assessment. She explains that few "enterprises are totally devoid of cybersecurity risk, particularly public companies." Regardless of whether cyber incidents have occurred, she recommends performing complete risk assessments detailing "cybersecurity risks that could have a material effect on the company's financial statements."

Financial Data Security Review

Regular audits and assessments should reveal whether any vulnerabilities exist within the systems responsible for handling sensitive financial data. The AICPA calls for regular examinations of control objectives and control activities. At a minimum, service control organization (SOC) reports should occur annually, while auditing is needed twice each year: one audit conducted by the organization and a second by an external independent body.

IT Compliance for Finance and Accounting

The modern financial sector must navigate many security standards, many of which overlap substantially. Although many organizations focus strictly on mandatory regulations related to cybersecurity, there is value in implementing optional measures, as this provides broader coverage and greater peace of mind for stakeholders. Essential controls referenced by the National Institute of Standards and Technology (NIST) include:

• Risk assessments, both internally and involving third-party vendors.
• Identification of critical assets and efforts to quantify the organizational impact if these are compromised.
• Incident Response Plans for ensuring business continuity for a worst-case scenario.

Assessing and Mitigating Cyber Risks in Financial Audits

Financial audits provide valuable insight into the most alarming of cybersecurity risks. Cyber incidents also add considerable complexity to the financial auditing process. The integrity of these audits could be undermined if threat actors gain access to financial data. Robust cybersecurity initiatives should protect financial audits—encompassing pre-incident assessments, processes for managing third-party risks, and an easy-to-follow breach escalation process.

Ensuring Compliance With Regulatory Requirements and Industry Standards

The Securities and Exchange Commission (SEC) Division of Corporation Finance provides extensive guidance on disclosing cybersecurity risks. This guidance may encompass top risk factors, plus management’s discussion and analysis. A 2018 SEC disclosure guidelines update highlights the need for transparency regarding cybersecurity policies and procedures. Insider trading disclosures, especially from a cybersecurity perspective, are increasingly critical in the digital age.

The Need for Collaboration

Although largely facilitated by accounting auditors, cybersecurity-related regulatory compliance calls for a team effort, with input provided by professionals across multiple departments. Experts from professional services firm Moss Adams explain, "Collaboration between [accounting and IT] teams helps unveil problems and provides quicker identification and solutions development." Strategies for boosting collaboration might include cross-functional committees and aligned language.

Another essential element is a shared understanding of frameworks for compliance from the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO). Regular training is a must for employees at all levels.

How Auditors Can Support Their Teams

Accounting auditors can provide valuable support across departments by understanding the unique concerns and challenges of different types of professionals and how these contribute to the greater picture of financial data security. The goal should be to develop a big-picture understanding of risks across the organization, plus targeted strategies for addressing these or leveraging the skill sets of those capable of providing solutions.

Enhance Your Skills With a Degree

As you prepare for a rewarding career in accounting, be mindful of the numerous dynamic opportunities (and, at times, obstacles) that emerging technology presents. With a thorough understanding of cybersecurity concerns related to financial data and compliance, you should be well-equipped to tackle many of the most significant tasks facing accounting auditors today.

The right degree program can provide well-rounded preparation, including a vast skill set that allows you to adapt to rapid changes in the accounting industry and beyond. Pursue your interests in cybersecurity and accounting with a Bachelor of Science in Accounting. This program offers courses in financial data security and cybercrime, giving you the essential skills you need for success in this growing field. You may also be interested in pursuing a  Bachelor of Science in Cybersecurity to dive into the more technical skills vital for this field. Reach out today to learn more.