How board members can perform oversight of cybersecurity risks

By Ken Tysiac

Please note: This item is from our archives and was published in 2018. It is provided for historical reference. The content may be out of date and links may no longer function.

With organisations’ technology and systems under constant attack from hackers, cybersecurity oversight has become an increasingly important responsibility for board members.

New laws and regulations for managing and reporting on data security and cybersecurity risks create additional challenges for companies as they work to stay on top of the latest security trends and keep their systems and data safe.

A new tool from the Center for Audit Quality, which is affiliated with the American Institute of CPAs, provides board members with questions they can use in discussions with management and CPA firms about cybersecurity risks and disclosures.

The questions are related to:

  • Understanding how the financial statement auditor considers cybersecurity risk. Questions board members can ask include: How are cybersecurity risks that auditors identify addressed in the audit process? What impact would a cybersecurity breach have on the auditor’s assessment of internal control over financial reporting?
  • Understanding the role of management and the responsibilities of the financial statement auditor related to cybersecurity disclosures. Board members’ questions may include the following: How has management considered cybersecurity risks in its ability to report on information required in US Securities and Exchange Commission filings? What does the auditor consider related to cybersecurity disclosures?
  • Understanding management’s approach to cybersecurity risk management. Among the questions board members can ask: What framework does management use in designing its cybersecurity risk management programme? What processes are in place to periodically evaluate the cybersecurity risk programme and controls?
  • Understanding how CPA firms can assist boards of directors in their oversight of cybersecurity risk management. Board members’ questions may include the following: What additional offerings can CPA firms provide related to cybersecurity, since the financial statement auditor’s focus is on IT risks that affect financial reporting?

Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com) is an FM magazine editorial director.

Up Next

UK job market shows signs of improvement

By Steph Brown
March 10, 2026
A monthly report’s hiring index moved closer to a neutral level and to the highest mark in three years.
Advertisement

Most Read

An introduction to Python in Excel: Part 1
Return to office: Where leaders and employees agree
An introduction to Python in Excel: Part 2
4 finance trends for 2026
How to develop your career and aim for the C-suite

LATEST STORIES

UK job market shows signs of improvement

IPSASB exposure draft designed to help governments leverage financial data

How companies can prepare for IFRS 18 adoption

IFRS 18: A fundamental redesign of financial statement presentation

Building a self-confident profession

Advertisement
Read the latest FM digital edition, exclusively for CIMA members and AICPA members who hold the CGMA designation.
Advertisement

Related Articles

AI early adopters pull ahead but face rising risk, global survey finds

February 27, 2026 Most companies committed to AI tools believe they have a strategic advantage, but a new survey shows they also have more risks to consider.
Introduction to Python in Excel: Part 3

Introduction to Python in Excel: Part 3

February 27, 2026 A practical way to create more complex and useful programs is to import libraries and modules.