The Sunk Costs of Cybersecurity Testing: Who Bears Responsibility?
DOI:
https://doi.org/10.33423/jabe.v26i2.7042Keywords:
business, economics, auditor responsibility, cybersecurity audit, audit specialist, risk of cybersecurity, cybersecurity standardsAbstract
This paper intends to bring further clarity regarding the role of the auditor when there is a consideration of a cybersecurity. It seems there is an expectation gap between what the public expects and what the auditor role is, and that cybersecurity testing requires additional skills and efforts. Are auditors currently compensated for the cybersecurity testing? Do they want the scope of the audit to expand to include cybersecurity assessment? Will this lack of clarity impact the corporate governance model that is based on transparency and monitoring? There is limited data available regarding cybersecurity audits and whether such audits lower the threat of cybersecurity. Our analysis suggests that auditors should not have direct responsibility for testing the cybersecurity of a client, rather direct testing should be accomplished by a third party, primarily an auditor specialist. Also, it is time to expect the auditor to become familiar with general cybersecurity skills and standards.
References
AICPA. (2017, November). Overview of cybersecurity risk management reporting framework. Retrieved from https://cybersecuritysummit.com/wp-content/uploads/2017/11/AICPA.pdf
Bischoff, P. (2021, February 9). How data breaches affect stock market share prices. Comparitech. Retrieved from https://www.comparitech.com/blog/information-security/data-breach-share-price-analysis/
Center for Audit Quality. (2019, March). Understanding cybersecurity and the external audit. Retrieved from https://www.thecaq.org/wp-content/uploads/2019/03/cybersecurity_and_external_audit_final.pdf
Chimwanda, E. (2022, April 8). Essentials for an effective cybersecurity audit. ISACA. Retrieved from https://www.isaca.org/resources/news-and-trends/industry-news/2022/essentials-for-an-effective-cybersecurity-audit
Deloitte & Touche LLP, E. Galligan, M., Herrygers, S., & Rau, K. (2019, November). Managing cybersecurity risk in a digital age. COSO. Retrieved from https://www.coso.org/Shared%20Documents/COSO-Deloitte-Managing-Cyber-Risk-in-a-Digital-Age.pdf
Fox, J. (2022, December 27). Top cybersecurity statistics to know for 2023. Cobalt. Retrieved from https://www.cobalt.io/blog/cybersecurity-statistics-2023#:~:text=How%20many%20people%20get%20hacked,over%20800%2C000%20attacks%20each%20year
Haapamäki, E., & Sihvonen, J. (2019). Cybersecurity in accounting research. Managerial Auditing Journal, 34(7), 808–834. https://doi.org/10.1108/MAJ-09-2018-2004
International Organization for Standardization, & International Electrotechnical Commission. (2020). Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing (ISO/IEC 27007:2020). Retrieved from https://www.iso.org/home.html
International Organization for Standardization. (2018). Guidelines for auditing management systems (ISO 19011:2018). ISO. Retrieved from https://www.iso.org/home.html
ISACA. (2023). Credentialing. Retrieved from https://www.isaca.org/credentialing
Lanz, J. (2014). Cybersecurity governance: The role of the audit committee and the CPA: Certified public accountant. The CPA Journal, 84(11), 6–10. Retrieved from http://bryant.idm.oclc.org/login?url=https://www.proquest.com/scholarly-journals/cybersecurity-governance-role-audit-committee-cpa/docview/1656058898/se-2
Perols, R.R. (2019). Two essays on the impact of cybersecurity risk management examinations on investor perceptions and decisions (Order No. 13814758). Accounting, Tax & Banking Collection. (2246444889). Retrieved from http://bryant.idm.oclc.org/login?url=https://www.proquest.com/dissertations-theses/two-essays-on-impact-cybersecurity-risk/docview/2246444889/se-2
Petrosyan, A. (2022, October 13). Financial loss of cyber attacks on U.S. companies 2022. Statista. Retrieved from https://www.statista.com/statistics/1334399/us-common-results-of-cyber-attacks/#:~:text=According%20to%20a%202022%20report,50%2C000%20and%2099% 2C999%20U.S.%20dollars
Public Company Accounting Oversight Board (PCAOB). (2018, December 20). PCAOB Release No. 2018-006: Amendments to Auditing Standards for Auditor’s Use of the Work of Specialists. Retrieved from https://pcaobus.org/Rulemaking/Docket044/2018-006-specialists-final-rule.pdf
RBT CPAs. (2020). Hours, hours, and less hours. Retrieved from https://www.rbtcpas.com/articles/hours-hours-and-less-hours/
Tech Target. (2013). ISACA. Retrieved from https://www.techtarget.com/searchcio/definition/ISACA#:~:text=ISACA%20is%20an%20independent%2C%20nonprofit,goes%20by%20its%20acronym%20only
Tran Nguen, B.N., & Tick, A. (2021). Cyber-security risks assessment by external auditors. Interdisciplinary Description of Complex Systems, 19(3), 375–390. https://doi.org/10.7906/indecs.19.3.3
Wertheim, S. (2019). Auditing for cybersecurity risk: Certified public accountant. The CPA Journal, 89(6), 68–71. Retrieved from http://bryant.idm.oclc.org/login?url=https://www.proquest.com/scholarly-journals/auditing-cybersecurity-risk/docview/2239577276/se-2
