Recognizing the increasingly role of cybersecurity in audits, particularly in the pandemic era, the Center for Audit Quality has released a guide for auditors on points to consider on the topic when conducting an audit. It noted that while many companies recognize that cyberattacks are a risk, few go beyond general information regarding cybersecurity risks and company cybersecurity-risk management programs to address them in their disclosures. Only a small minority of companies disclose performance of cyber incident simulations or table-top exercises, the use of an external independent consultant to help management with cybersecurity-related practices, or board engagement with an external independent adviser.

Currently, the auditor is expected to broadly consider cybersecurity risks that could have a material effect on the company’s financial statements and, in an integrated audit, internal control over financial reporting (ICFR). But the CAQ said that auditors can play a greater role in this field than the audit of financial statements, by assessing or assuring the company's cybersecurity program itself, using the AICPA's Systems and Organization Controls (SOC) for Cybersecurity framework.

"Auditors can use the criteria in the AICPA’s SOC for Cybersecurity framework to opine on the cybersecurity risk management program’s design and on the effectiveness of controls management has designed to achieve the organization’s cybersecurity objectives," said the CAQ. "The practitioner’s report (i.e., their opinion) may assist boards of directors, senior management, and other pertinent stakeholders as they evaluate the effectiveness of their organization’s cybersecurity risk management programs."

The CAQ also noted that boards play a large role in cybersecurity as well, and suggested a number of questions that board members should consider in their dialogues with the auditors on this matter.