As independent auditors to public companies and business development companies begin to make required disclosure of Critical Audit Matters (CAMs) to the audit committee, such reports are beginning to include discussion of information security programs and information technology controls. Independent auditors have treated material weaknesses in certain information technology controls as material weaknesses in internal controls over financial reporting due to the potential to impact financial reporting.
Although the PCAOB previously issued guidance that cybersecurity incidents which impact financial statements—including key estimates, valuations or accounting for transactions—could become the subject of communications between the auditor and the audit committee, its guidance noted the necessarily fact-specific nature of the analysis and did not specifically address information technology controls or information security other than in the context of a cybersecurity incident. Because CAMs are broadly defined as either qualitatively or quantitatively material to a public company’s financial statements, and/or involving “especially challenging, subjective, or complex judgments,” independent auditors may have wide latitude to assess information technology controls and information security as they impact financial reporting.
To date, recent disclosures in Forms 10-K by certain public companies of CAMs relating to information technology controls include:
- Ineffective risk assessment and monitoring mechanism over information technology controls;
- Inadequate backup and restoration plan;
- Failure to establish and perform periodic review and security monitoring of unauthorized access to the financial system;
- Failure to maintain segregation of duties for the operating, application, and database system;
- Insufficient ability to assess controls over third-party information technology providers;
- Ineffective user access controls regarding information technology personnel’s access to the financial control system; and
- Ineffective change management controls over information technology systems that support financial reporting.
These CAMs suggest that independent auditors are focused on information security programs and information technology controls that relate in some way to financial reporting or third-party service providers that support financial reporting. Given the prevalence of electronic systems involved in financial reporting, the aspects of information technology controls and information security programs potentially in scope is noteworthy.
The PCAOB’s implementation of Critical Audit Matters continues through December 2020. Entities not yet subject to its requirements may wish to revisit the impact that their information technology controls and information security program have on their financial reporting framework.