On the front line

Cyber-security is a significant concern for business – and for good reason. EY’s latest annual survey of more than 1,700 CEOs and executives responsible for information security, representing many of the world’s most prominent companies, found that 87% lacked confidence in their organisations’ defensive capabilities.

The Association of International Certified Professional Accountants is taking a multifaceted approach to helping businesses address their cyber-security risks. In an interview, the AICPA’s president and CEO, Barry Melancon, CPA, CGMA, shared details about some of the Association’s work in this crucial area:

How do you view the threats and opportunities for organisations when it comes to addressing cyber-security risks?

Cyber-security is a tremendous challenge. It’s one of the biggest facing just about every company worldwide – large and small, public and private. No organisation is 100% safe.

Even one with a highly mature cyber-risk management programme still retains a residual risk that a material breach will occur and not be detected in a timely manner.

There is an opportunity to address cyber-risk co-operatively, using a holistic approach where boards, audit committees, IT, finance, and staff generally all have a stake in this critical enterprise-wide concern. It’s an opportunity that the Association is looking to expand upon, both for its members and for the public interest.

What is the Association doing to support its members’ risk management efforts?

Cyber-security is a key imperative for the profession in all areas of practice. Members can play a vital role in the holistic approach to addressing the issues I have described. An organisation’s cyber-security risk management programme is the set of policies, processes, and controls designed to protect its systems and the data they hold from security breaches or other compromises. (Understand the risks, approaches, and responses to cyber intrusion with the CGMA Cybersecurity tool.)

The programme enables organisations to detect, respond to, mitigate, and recover from security events. The Association believes that organisations would benefit from having a robust cyber-security risk management reporting framework as a vehicle for communicating with their boards and other key stakeholders on how they are dealing with the issue.

We are addressing this from both a management accounting perspective and an assurance perspective.

How is the AICPA’s Assurance Services Executive Committee helping the profession to address businesses’ cyber-security needs?

The committee’s cyber-security working group collaborated with the AICPA’s Auditing Standards Board to provide a common language for evaluating organisations’ cyber-security risk management programmes. What they built is designed to enhance public trust in the quality of corporate cyber-security.

In April, the AICPA launched a reporting framework to help organisations design and describe their cyber-risk management programmes to stakeholders such as investors, regulators, and customers.

Organisations can also use it as an internal risk management tool to establish security objectives and report to their boards on the effectiveness of their controls.

The framework establishes a common language for cyber-security risk management reporting that’s almost akin to US generally accepted accounting principles or International Financial Reporting Standards for international reporting. It is therefore a global solution with robust and complete criteria that can be used to support strategic, objectives-based cyber-security risk management. Given that cyber-security risks are dynamic, our criteria will evolve continually to address changing market needs.

As cyber-security maturity among organisations increases, the framework will also serve as a foundation for high-quality, independent third-party assurance engagements.

The working group also developed guidance to help accountants provide such assurance. So, if an organisation chooses to – and if it is in a state of readiness – it can seek an impartial assessment of the effectiveness of its cyber-risk management programme.

How important is it that management accountants understand that they have a key cyber-security role to play?

Cyber-security is not just “an IT problem”. It’s an enterprise risk management problem. Because management accountants have a unique view of the multitudinous risks facing their organisations, they can step in as advocates for establishing robust cyber-security objectives. In a similar way to how they help in setting the overall commercial goals of a business, they can ensure that these cyber-security objectives properly address all the risks that could affect its achievement of those goals. To this end, we have developed a cyber-security risk management tool for management accountants that provides strategies and essential information on how to monitor and manage the risks – and how to respond to the seemingly inevitable security breach.

Management accountants can now introduce their boards, audit committees, IT teams, and other internal stakeholders to the common language of our cyber-risk reporting framework, thereby encouraging a holistic approach to the issue.

By helping to implement the framework in their organisations, they can establish effective policies, processes, and controls. They can also use it to articulate their risk management programmes in a way that would facilitate any assurance engagement.

Is the Association working on other cyber-security guidance for members?

We have produced several resources that can be found at aicpa.org/cybersecurity. What’s more, we will be addressing cyber-security from the perspectives of professionals in all areas of practice at virtually every Association conference this year.

A version of this article appeared in the April edition of Financial Management magazine.