Internal auditors are worried that boards are not paying enough attention to—wait for it—internal auditors. Probably most often, we consider the internal audit function in the context of financial reporting, but its brief can extend to many other risk areas. To be sure, the speed of technological development and disruption has accelerated the development of risks—exhibit one being the development of the internet, which has led to risks related to cyberattacks and privacy. A 2019 report regarding a survey by the Institute of Internal Auditors of over 500 chief audit executives (CAEs) concluded that these developments “place an even higher value and urgency on assuring that boards have complete and accurate information on which to base their decisions…. In today’s dynamic risk environment, CAEs must do more than simply understand and fall in line behind the board’s view on risk. This new outlook must center on assuring the board has a comprehensive and unencumbered understanding of the organization’s risk universe.” Nevertheless, according to the President and CEO of the IIA, CAEs responding to the survey said that “internal audit rarely reviews information provided to the board, with 6 in 10 [CAEs] reporting they provide such assurance only for unusual situations, or never.” As a result, there were “serious questions about whether internal audit’s insights and recommendations are getting through to boards.”
In a speech given yesterday at Columbia University, SEC Chair Jay Clayton reviewed the SEC’s regulatory achievements over the past year, metaphorically slapping the SEC and the staff on the back for a job well done in accomplishing 88% of the items identified on the SEC’s near-term agenda for fiscal 2018. Of particular interest, however, was his discussion of the some of the priority items on the 2019 agenda. In closing, Clayton hammered again at three risk areas that the SEC is currently monitoring—yes, those three. Clearly, the signal is that companies should consider these risks.
SEC issues Section 21(a) investigative report regarding the implications of cyberscams for internal controls
Today, the SEC issued an investigative report under Section 21(a) that advises public companies subject to the internal accounting controls requirements of Exchange Act Section 13(b)(2)(B) of the need to consider cyber threats when implementing internal accounting controls. The report investigated whether a number of defrauded public companies “may have violated the federal securities laws by failing to have a sufficient system of internal accounting controls.” Although the SEC decided not to take any enforcement action against the nine companies investigated, the SEC determined to issue the report “to make issuers and other market participants aware that these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws. Having sufficient internal accounting controls plays an important role in an issuer’s risk management approach to external cyber-related threats, and, ultimately, in the protection of investors.”
The Center for Audit Quality has just issued Cybersecurity Risk Management Oversight: A Tool for Board Members. The tool offers questions that directors can ask of management and the auditors as part of their oversight of cybersecurity risks and disclosures. The questions are designed to initiate dialogue to clarify the role of the auditor in connection with cybersecurity risk assessment in the context of the audit of the financial statements and internal control over financial reporting (ICFR), and to help the board understand how the company is managing its cybersecurity risks.
Yesterday, the SEC announced that it had adopted—without the scheduled open meeting, which was abruptly cancelled with only a cryptic statement—long-awaited new guidance on cybersecurity disclosure. The guidance addresses disclosure obligations under existing laws and regulations, cybersecurity policies and procedures, disclosure controls and procedures, insider trading prohibitions and Reg FD and selective disclosure prohibitions in the context of cybersecurity. The new guidance builds on Corp Fin’s 2011 guidance on this topic (see this Cooley News Brief), adding in particular new discussions of policies and insider trading. While the guidance was adopted unanimously, some of the Commissioners were not exactly enthused about it, viewing it as largely repetitive of the 2011 guidance—and hardly more compelling. Anticlimactic? See if you agree.
Even though, in the wake of recent events, cybersecurity is a very hot topic, only 38% of U.S. public companies cite cybersecurity as a risk factor in their annual and quarterly SEC filings, according to a recent study from Intelligize. The study showed that, while only 426 public companies cited cybersecurity as a risk in 2012, that number grew to 1,662 in 2016. However, so far in 2017, the number has been relatively flat at 1,680. But the question remains, how long will that continue?