Until recently, cybersecurity’s relationship with financial statements focused on fraudulent activities that disrupted a company’s bottom line. However, as breaches continue to rise, industry experts are starting to notice auditors aren’t doing enough to consider the risks created by these attacks. Because of this, in 2021 and beyond, board members, senior leaders and audit teams will need to start integrating cybersecurity into how they view compliance for Sarbanes-Oxley (SOX) and privacy-related mandates like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). And while this will lead to authoritative boards issuing guidance initiatives, it doesn’t mean businesses should wait to act.
Cybersecurity’s relationship with financial statements and internal control audits
The rise in cyberattacks poses significant risks to financial applications and the validity of the reports they produce. This is especially apparent as threat actors continue to target business-critical applications that house vast amounts of company, employee and customer financial data.
These applications produce financial reports that are trusted by investors, stockholders, banks and other shareholders – not to mention required to meet compliance standards like SOX. Yet, when it comes to cybersecurity and financial statements, authoritative boards and companies have historically only focused on fraudulent activity. For instance, if someone successfully phished an organization and stole funds, the focus has been on how the theft impacted the business’s bottom line.
In 2020, however, after reviewing audit files from organizations that had been breached the previous year, the Public Company Accounting Oversight Board (PCAOB) issued a report that suggested while most auditors tried to quantify a financial impact after a breach, they didn’t expand to determine if there were risks of material misstatement. Similarly, the PCAOB suggested auditors didn’t go far enough to assess what types of deficiencies were related to internal controls over financial reporting. The bottom line: organizations aren’t doing enough to determine the risks cybersecurity vulnerabilities create.
So, how can board members, senior leaders and audit teams adapt and improve?
How to find risks and integrate cybersecurity into compliance mandates
The answer is quite simple: expand your risk assessment. The best place to start is with access control and change management, followed by a thorough review of all custom code.
Access controls focus on ensuring the right people have the correct access and appropriate roles in financial applications and making sure the system properly enforces these roles and permissions. However, there are dozens of other ways access control risk can harm a company. Many auditors do not think of these risks, which include vulnerabilities, misconfigurations and superuser abuse. To help mitigate these blind spots, auditors need to engage cybersecurity experts to supplement the assessment and ensure all risks are captured, assessed and a proper monitoring and mitigating strategy is put in place.
Change management, on the other hand, focuses on ensuring changes to mission-critical applications are complete and valid. However, these changes aren’t actually audited today within the scope of regulations like Sarbanes Oxley. Changes are only checked against a series of tickets. Was a change requested? Yes. Was it pushed into production following the proper separation of duty? Yes. Was it put in a ticket and did it include the proper sign-offs? Yes. The lack of oversight can create significant gaps in protection and compliance.
The potential biggest unknown risk for change management, however, comes from custom code. During a change request, businesses could deploy bad code with malicious intent from a hacker (think SolarWinds). Bad code could also be introduced unintentionally by the organization’s coders or third parties. These mistakes could substantially change financial reporting, the internal controls that support complete and accurate financial reporting and more.
What does this look like in real life? Through custom report creation, we have seen lines of code that share financial information to personal email addresses outside an organization, grant access to modify tables, change information and even grant views into Personally Identifiable Information (PII) that bypass internal access controls, resulting in SOX compliance issues and violations of other data privacy laws. All of this is completely invisible to the actual users. And once the line of code is written and imported into production, it is there forever until it is removed.
Keeping tabs on the risks created by access controls, change management, user privileges and custom code can be a time-consuming process that’s also difficult to track if done manually. Organizations should consider technology that helps automate code review code quality and uncover known vulnerabilities. Businesses might also find it helpful to utilize tools that track user activity, flag anomalous behavior and raise alarms when privileges have been escalated within their mission critical applications. These supporting tools can help identify risks, highlight compliance concerns and spot vulnerabilities before they materialize into major headaches (at best) and brand damage, legal proceedings and substantial fines (at worst).
Authoritative guidance moving forward
This groundswell of change and heightened awareness will force authoritative boards to issue guidance initiatives that take a closer look at cybersecurity related to financial statements and internal control audits in 2021. Key objectives in these guidelines will likely include:
Increased scrutiny on access controls and separation of duties beyond what is provisioned as part of a business control process.
Requirements to obtain assurance over an organization’s code review processes, not only understanding this process but also auditing it to ensure that the controls work and function as intended.
Patch management process prioritization, as many of the risks vulnerabilities present can be mitigated through patches. Currently these are also just audited via tickets.
Increased scrutiny on business continuity planning and disaster recovery in the event of a breach.
Businesses should understand that with any guidance initiative, these are not authoritative, all-encompassing rules. So, companies shouldn’t sit and wait. These risks exist today. Every day an organization waits to identify, monitor and mitigate financial risks, they put their business in jeopardy and increase the chance of a compliance violation from an unseen threat. In 2021 and moving forward, cybersecurity, compliance and financial statements will only interconnect more closely. The convergence is already on the way, but it shouldn’t take regulatory guidance to change your strategy. Forward-looking companies will address these risks today.