Press Release: CAQ: Auditors Can Play a Role in Meeting Growing Cybersecurity Needs of Organizations

Washington, DC – As leaders gather in Washington today for the Internet Security Alliance’s (ISA) Top of the Hill cybersecurity conference, the CAQ is pleased to highlight its contribution to the ISA’s Social Contract 3.0: Implementing a Market-Based Model for Cybersecurity, a publication that will be featured at the event. ISA’s Social Contract 3.0, which provides wide-ranging perspectives and recommendations from numerous industries and professions across the private sector and policy spectrum, is targeted particularly to leadership of the incoming U.S. administration.

“On the eve of change in administration, the United States stands at a critical juncture in terms of how we think about cybersecurity and cybersecurity policy,” said Larry Clinton, ISA President and CEO. “The ISA is pleased to have the auditing profession’s voice be a part of ourSocial Contract.”

The CAQ’s contribution to Social Contract 3.0 explains how the auditing profession is in a strong position to play an important role in fostering instructive conversations about cybersecurity risk management, bringing to bear its core values—including independence, objectivity, and skepticism—as well as its deep expertise in providing independent evaluations in a variety of contexts.

The auditor has experience in performing independent, objective assessments of an entity’s privacy and security practices through other engagements, which are already trusted in the capital markets, and stands ready to offer a scalable, voluntary process to examine companies’ internal controls related specifically to cybersecurity risk management, says the CAQ in the publication.

“Given its prominence for investors and markets, cybersecurity has been a top priority for the Center for Audit Quality,” said CAQ Executive Director Cindy Fornelli. “Auditors can expand their role in accordance with time-tested assurance frameworks, thus bringing the profession’s many strengths to bear on today’s cybersecurity challenges. Reports issued under this new approach would benefit from the consistency, rigor, independence and objectivity of the practitioners.”

Submitted on behalf of the auditing profession, the CAQ’s chapter covers several major points.

·         Key cybersecurity considerations: Leveraging observations from CAQ member firms, the CAQ identifies several key considerations with respect to the threats and responses by the corporate community to the evolving cybersecurity landscape.

·         The profession’s new and comprehensive approach: The CAQ describes a process, now in the final stages of development by the Assurance Services Executive Committee of the American Institute of CPAs, to examine internal controls related specifically to cybersecurity risk management. While separate and apart from the existing financial statement audit process, this cybersecurity examination could be performed by the external auditor or another audit firm.

·         The audit profession’s strong foundation: In developing this new approach, the profession draws upon the fundamental principles and standards of performance that have defined it for over 125 years. These principles include independence, objectivity, skepticism, due professional care, and compliance with an established professional code of conduct. Additionally, auditors have experience in assessing an entity’s privacy and security practices through other attest engagements that are trusted and accepted in the marketplace.

·         Principles for better cybersecurity outcomes: The CAQ suggests several principles that “must be embedded in the public policy dialogue around these and future enhancements to adequately address cybersecurity.” These include avoiding “blaming the victim” of cybersecurity attacks, as well as enabling private-sector solutions to cybersecurity challenges.

Social Contract 3.0 is available at the ISA website.

# # #

The Center for Audit Quality (CAQ) is an autonomous public policy organization dedicated to enhancing investor confidence and public trust in the global capital markets. The CAQ fosters high quality performance by public company auditors, convenes and collaborates with other stakeholders to advance the discussion of critical issues requiring action and intervention, and advocates policies and standards that promote public company auditors’ objectivity, effectiveness, and responsiveness to dynamic market conditions. Based in Washington, DC, the CAQ is affiliated with the American Institute of CPAs. For more information, visit