Rules for Auditor Assessment of Cybersecurity Under Consideration

Stay current on changes and developments in corporate law with a wide variety of resources and tools.

By Laura Tieger Salisbury

New rules about auditor responsibility for assessing companies’ cybersecurity defenses and use of software audit tools are on the horizon.

Glenn Tempro, associate director of the Public Company Accounting Oversight Board, told the American Institute of CPA’s banks and savings institutions’ conference Sept. 11 that software audit tools are enabling auditors to assess increasing volumes of data to better identify risks and to tailor their approaches to conducting an audit, Tempro said.

The PCAOB is considering whether to update certain audit standards to provide more specific guidance about these changes in firm’s audit methodologies.

The auditor needs to evaluate whether the information technology tool—software—is meeting the objective for which it is being used. The software doesn’t remove the responsibility of “testing the data’ and making professional judgments,” Tempro said.

Cybersecurity also becomes the auditor’s concern because cyber attacks may affect the reliability of the information that auditors evaluate. Risks include unauthorized access to data that might result in destruction or improper changes to information, such as reporting unauthorized or nonexistent transactions, Tempro said.

A firm’s cybersecurity defenses are critical to protecting the data, and auditors must consider the sufficiency of the firm’s approach to securing the data, Tempro said.

To contact the reporter on this story: Laura Tieger Salisbury in Washington at

To contact the editor responsible for this story: S. Ali Sartipzadeh at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Corporate on Bloomberg Law