Vet Your Vendors: The Intersection of Audit and Cybersecurity Risk
Please welcome Matt Kelly, Editor and CEO of Radical Compliance, to the Workiva blog.
Worry about cybersecurity is all the rage these days. The Public Company Accounting Oversight Board (PCAOB) wants audit firms to give the subject more attention as they audit your financial statements. The Securities and Exchange Commission wants companies to disclose more about cybersecurity risk. Your board wants to avoid data breaches that could bring millions in costs and months of bad headlines.
So how can a corporate audit or risk professional, caught in the middle of those pressures, focus on effective ways to address those different concerns?
First, appreciate that the phrase “cybersecurity risk” combines several different threats under one name. That is not surprising, since those threats trace back to the same root causes: poor access control and sloppy vendor risk management. What’s more, remediating those threats requires action in the same place, too: your IT general controls.
It is no wonder that we—boards, regulators, and the public—use “cybersecurity risk” as shorthand for multiple threats. But audit and internal control professionals have different types of threat to worry about.
For example, the data breach that had everyone talking in 2017 happened at Equifax. The company failed to update its software security patches in a timely manner, which led to exposure of the personal data of more than 140 million people.
The breach cost Equifax $87 million in the third quarter alone. It prompted hearings in Congress and headlines in newspapers across the country. It prompted CEO Richard Smith to “retire,” as the company phrased it, one month after the breach was disclosed.
That’s a mess, to be sure. But it isn’t what traditionally alarmed CFOs and auditors: the risk of material misstatement.
Misstatement happens when poor internal controls lead to manipulated transactions, misappropriation of assets, or line items rife with error. The financial statements tell investors that something of value is there, but, in reality, it isn’t.
Yes, cybersecurity weaknesses can cause misstatement risk. A financial application might have poor access controls, so someone manipulates transactional records and embezzles money. An employee could evade approvals and make outsized investment bets, changing the firm’s credit risk without supervisors knowing.
The “glamorous” cybersecurity lapses, however—the ones that grab headlines and terrify boards and regulators alike—are not ones that lead to financial restatement. They are data breaches that result in hackers absconding with personally identifiable customer data.
Breaches bring costly investigations, harm to reputation, litigation expense, and, often, fired CEOs. But they are a different type of havoc than what you experience with a material misstatement.
Material misstatements and data breaches: two separate risks, both needing attention from strong IT general controls. So how do we get there?
The bedrock issue: vendor risk management
All cybersecurity failures, ultimately, are about access control: someone gains access to data or applications improperly. But that oversimplifies the challenge.
In the real world, poor access control could be described as being careless with who has keys to your house. The more people that have them, the more likely it is that something terrible could occur. That analogy used to hold true for companies, too: if you didn’t know who has keys to the records room, you have higher risk that someone would steal files.
In the modern world of cloud technology services, that analogy breaks down. The records room no longer exists, and you have scattered company records to storage vaults—servers—all over the world, summoning them to your desk over the internet only when you need them.
So now you need to worry about the trustworthiness of those storage vaults, too. Other customers come and go through the same facility you use. So how do those vendors police against abuses? And how do you get assurance that those vendors meet your own company’s standards?
The COSO internal control framework helps, with its discussion of IT general controls. One great insight comes from Principle 11 of the full COSO framework: “The organization selects and develops general control activities over technology to support the achievement of objectives,” in the fourth point of focus:
"Technology general controls support the acquisition, development, and maintenance of technology. For example, a technology development methodology provides a structure for system design and implementation, outlining specific phases, documentation requirements, approvals, and checkpoints with control over the acquisition, development, and maintenance of technology..."
This passage is so useful because its goals address both types of cybersecurity risk at once.
You could substitute “vendor” for “technology” in the above excerpt, and it would still hold true as a smart approach to vendor risk management. In the business world of today and tomorrow, the concept of vetting vendors is going to be crucial because the technology will matter less, while the vendor and the service it provides will matter more.
Consider the annual audit for an example. Auditors will want to test cybersecurity access, to see who might reach your data without permission. The sloppier your vendor risk management is, the more procedures they will use in their tests—and the more painful your audit will be.
However, when you apply the principles of IT general control to vendor risk management you can answer those questions more easily. That will be true whether we are talking about misstatement risk or data breaches.
How to translate those IT general controls into policies and procedures for vendor risk management is a subject for another blog post. And the task is difficult, since finding new cloud IT services has never been easier, which means the risk of inadequate vendor risk management is high.
At least we will understand the core issue correctly. That’s something, because it will be with us for a long while.
Find out what you should look for in a SOX and internal controls software vendor—download this checklist of the eight key factors every company should take note of.