How board members can perform oversight of cybersecurity risks

By Ken Tysiac

Please note: This item is from our archives and was published in 2018. It is provided for historical reference. The content may be out of date and links may no longer function.

With organisations’ technology and systems under constant attack from hackers, cybersecurity oversight has become an increasingly important responsibility for board members.

New laws and regulations for managing and reporting on data security and cybersecurity risks create additional challenges for companies as they work to stay on top of the latest security trends and keep their systems and data safe.

A new tool from the Center for Audit Quality, which is affiliated with the American Institute of CPAs, provides board members with questions they can use in discussions with management and CPA firms about cybersecurity risks and disclosures.

The questions are related to:

  • Understanding how the financial statement auditor considers cybersecurity risk. Questions board members can ask include: How are cybersecurity risks that auditors identify addressed in the audit process? What impact would a cybersecurity breach have on the auditor’s assessment of internal control over financial reporting?
  • Understanding the role of management and the responsibilities of the financial statement auditor related to cybersecurity disclosures. Board members’ questions may include the following: How has management considered cybersecurity risks in its ability to report on information required in US Securities and Exchange Commission filings? What does the auditor consider related to cybersecurity disclosures?
  • Understanding management’s approach to cybersecurity risk management. Among the questions board members can ask: What framework does management use in designing its cybersecurity risk management programme? What processes are in place to periodically evaluate the cybersecurity risk programme and controls?
  • Understanding how CPA firms can assist boards of directors in their oversight of cybersecurity risk management. Board members’ questions may include the following: What additional offerings can CPA firms provide related to cybersecurity, since the financial statement auditor’s focus is on IT risks that affect financial reporting?

Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com) is an FM magazine editorial director.

Up Next

Despite global job insecurity, some young workers are upbeat

By Steph Brown
April 2, 2026
Fewer than one in four employees are confident their current job is safe, according to a global survey. Worker engagement is tied to development opportunities, which are inconsistent across age groups.
Advertisement

Most Read

5 types of imposter syndrome and strategies to manage self-doubt
An introduction to Python in Excel: Part 1
An introduction to Python in Excel: Part 2
Introduction to Python in Excel: Part 3
How companies can improve earnings-per-share disclosure - FM

LATEST STORIES

Despite global job insecurity, some young workers are upbeat

April FM: Assessing your worth, board recruitment, and AI governance

CIMA roundup: Global talent development in focus

Rise2040: Envisioning the future of accounting and finance

Quantum of risk

Advertisement
Read the latest FM digital edition, exclusively for CIMA members and AICPA members who hold the CGMA designation.
Advertisement

Related Articles

April FM: Assessing your worth, board recruitment, and AI governance

April 1, 2026 FM’s editor-in-chief details articles in the April digital edition, including one on advice for determining what you’re worth and another detailing steps organisations can take to establish an AI governance policy. Listen to the episode or read the Q&A.
Rise2040: Envisioning the future of accounting and finance

Rise2040: Envisioning the future of accounting and finance

March 27, 2026 The acclaimed futurist guiding the Association’s Rise2040 visioning project explains how to anticipate — and prepare for — the next 15 years.