In Module 4, we’ve learned about Cybersecurity and Auditing. Please review all materials posted in this module, and submit a thoughtful discussion post in response to the readings.?

7/1/2021 Auditing for Cybersecurity Risk – The CPA Journal

https://www.cpajournal.com/2019/06/19/auditing-for-cybersecurity-risk/ 1/8

 Latest Articles (/articles/)



(https://www.faceboo



(https://twitter.co



(https://ww 

(https:

(https://www.cpajournal.com/)

(https://servedbyadbutler.com/go2/;ID=165519;size=970×90;setID=228992)

Home (https://www.cpajournal.com) / CPA Journal Content (https://www.cpajournal.com/articles/) / Auditing for Cybersecurity Risk

Auditing for Cybersecurity Risk  

 Featured (https://www.cpajournal.com/category/featured/), Columns (https://www.cpajournal.com/category/columns/), June 2019 Issue

(https://www.cpajournal.com/category/magazine/june-2019-issue/) |  June 2019

 Get Copyright Permission (https://www.copyright.com/openurl.do?&issn=0732-8435&WT.mc.id=New%20York%20State%20Society%20of%20Certi�ed%20Public%20Accountants)

Around the globe, cybercrime cost society over $3 trillion in 2018, and this cost is forecast to rise to $6 trillion by 2021 (“Cybercrime Damages $6 Trillion by 2020,”

Cybersecurity Ventures, Dec. 7, 2018, http://bit.ly/2K6cC7k (https://bit.ly/2K6cC7k)); that translates to a 43% year-over-year increase for each of the next three

years. At $6 trillion, cybercrime will represent approximately 7% of worldwide GDP and will be the third largest component of the world economy, just behind the

GDPs of the United States and China. U.S. ransomware costs have grown from $25 million in 2014 to over $8 billion in 2018 and are showing no signs of stopping

(“Global Ransomware Damage Costs Predicted To Exceed $8 Billion In 2018,” Cybersecurity Ventures, June 28, 2018, http://bit.ly/30Oc3VE

By  Steven Wertheim (https://www.cpajournal.com/author/steven-wertheim/)

Hedges of Unrecognized Foreign Currency–Denominated Firm Commitments (https://www.cpajournal.com/2021/06/21/hedges-of-unrecognized-foreign-currency-

denominated-�rm-commitments/)

Successful Remote Work Arrangements for Finance Teams (https://www.cpajournal.com/2021/06/18/successful-remote-work-arrangements-fo

�nance-teams/)





7/1/2021 Auditing for Cybersecurity Risk – The CPA Journal

https://www.cpajournal.com/2019/06/19/auditing-for-cybersecurity-risk/ 2/8

(https://bit.ly/30Oc3VE)). Ginni Rommety, IBM’s chairperson, CEO, and president, has stated that “cybercrime represents the greatest threat to every company in the

world” (Steve Morgan, “IBM’s CEO On Hackers: ‘Cyber Crime Is The Greatest Threat To Every Company In The World,’” Forbes.com (https://forbes.com/), Nov. 24,

2015, http://bit.ly/2Ww6M5V (https://bit.ly/2Ww6M5V)).

(https://www.nysscpa.org/cpaj-images/CPA.2019.89.6.068.uf001.jpg)

Yet society continues to ignore the issue or pass the buck, saying that cybercrime is a complex technology problem. In reality, cybersecurity is everyone’s responsibility,

as 89% of all cyberattacks come from inside organizations via malfeasance or nonfeasance (“The Primary Factors Motivating Insider Threats,” ObserveIT, May 21,

2018, http://bit.ly/2K7RvSg (https://bit.ly/2K7RvSg)).

The Scope of the Problem According to a GAO audit released in September 2018, government agencies, including the federal government, are failing to adequately address cybersecurity risks,

jeopardizing not only the operations of federal government and state governments, but also the personal information of U.S. citizens (Urgent Actions Needed to

Address Cybersecurity Challenges Facing the Nation, http://bit.ly/30uErMq (https://bit.ly/30uErMq)). The report notes that, of the more than 3,000

recommendations the agency has issued since 2010, 1,000 have not been implemented as of August 2018. In addition, 31 of the 35 highest priority recommendations

have not been addressed, including the following:

Develop and execute a more comprehensive federal strategy for national cybersecurity and global cyberspace

Improve implementation of government-wide cybersecurity initiatives

Strengthen the federal government’s role in protecting the cybersecurity of critical infrastructure (e.g., the electric grid and telecommunications networks).

No venture intends to fail, so why are companies failing so badly? Consider the following three examples:











7/1/2021 Auditing for Cybersecurity Risk – The CPA Journal

https://www.cpajournal.com/2019/06/19/auditing-for-cybersecurity-risk/ 3/8

Equifax. Equifax suffered a major breach in March 2017, but the company did not discover it until July 2017. It neglected to report the breach to the public and did so only after

an SEC insider trading investigation into several executives uncovered that the executives knew about the breach. It was �nally reported to the public in September

2017, yet Equifax was ill prepared to determine the actual number of breached individuals and failed to provide accurate information to the third-party remediation

�rm. The U.S. Senate report on the breach (http://bit.ly/2JAhceA (https://bit.ly/2JAhceA)) castigated Equifax for—

not following its own patch policy (8,500 known vulnerabilities, including 1,000 critical vulnerabilities, were identi�ed by a 2015 audit. Equifax failed to do any

follow-up audits or patch its systems. Equifax’s patching policy mandated the company’s IT department patch critical vulnerabilities within 48 hours.)

deliberately choosing to save personally identi�able information (PII), including usernames and passwords, in unencrypted �le shares accessible by Equifax

employees, and not having basic tools in place to detect and identify changes to �les.

On May 22, 2019, Moody’s downgraded Equifax’s rating to “negative,” saying, “Higher cybersecurity costs will continue to hurt the company’s pro�t and free cash �ow

for the forseeable future.” While this is the �rst downgrade as the direct result of a cyberattack, it will not be the last.

Starwood. Starwood suffered a signi�cant data breach of approximately 500 million customers’ information. Included in the theft were over 327 million records with PII and over

5 million unencrypted passport numbers. The breach dated back to 2014, but was not detected until September 2018. For more than 1,300 days, Starwood data

integrity had been compromised and no one, including Marriot, which acquired Starwood in November 2015, knew about the breach. Of note, the FBI Electronic

Crimes division estimates that for every 100 days between a breach and the discovery of the breach, the cost of the breach doubles. This suggests that the ultimate

cost of the Starwood breach will be 8,192 times the “original” cost had it been discovered immediately. A comprehensive security assessment at any time over the

1,300-day period would have found the breach.

Citrix. On April 29, 2019, Citrix sent a letter to the attorney general of California con�rming that a breach had occurred on October 13, 2018, 196 days earlier. In the letter,

Citrix con�rmed that it was advised of the breach by the FBI on March 9, but waited seven additional weeks to inform the public (http://bit.ly/2Erqbus

(https://bit.ly/2Erqbus)). It also advised the public to utilize monitoring services from Equifax.

In none of the cases above were technology and tools the root causes of the severity of the attack. All too frequently, the cause of a breach lies in the actions of human

beings.

What Are the Compelling Issues?

Lack of business focus. When a cyber-crime event occurs, the information security (IS) team or information technology (IT) team immediately begins attacking the problem with all of its

resources. Too often, however, these efforts remain siloed from the rest of the business. At the same time, business units are experiencing critical systems failures and

“pinging” the IT and IS teams to �nd out what is happening, and executives are dealing with the public reaction to the incident and its potential market implications.

This only adds to the chaos, exacerbating the cost of the breach and signi�cantly increasing the likelihood that the business will fail.

Auditors are tasked with documenting and categorizing risk; if they do not know where the critical data reside, how can they effectively measure and report on the client’s risk?

Inadequate resourcing and training. Companies too often view incident response as a sunk cost that has no bene�t to the bottom line. Executives express concern that incident response costs are taking

money, time, and people away from driving revenue. Moreover, when organizations conduct cybersecurity training, the focus is usually on the IT and IS teams, as

opposed to the entire business. Even when companies do company-wide training, the message often does not stick. As a result, too many companies inadequately

prepare themselves for an attack that, sooner or later, will occur.

Inadequate understanding of the risks.









7/1/2021 Auditing for Cybersecurity Risk – The CPA Journal

https://www.cpajournal.com/2019/06/19/auditing-for-cybersecurity-risk/ 4/8

How many organizations really understand the level of cybersecurity risk? How often do companies perform a cybersecurity framework risk assessment? When

speaking to risk executives, the most frequent response to “What keeps you up at night?” is “I have no idea where my most critical data reside.” Auditors are tasked

with documenting and categorizing risk; if they do not know where the critical data reside, how can they effectively measure and report on the client’s risk, especially

in the case of small and medium-sized businesses?

In 2016, a clothing manufacturer contracted for a social engineering pen test at a secure site, accessible only via card-key locked doors. The testing team successfully

penetrated the most secure systems in the company, including its mainframe, in less than two hours without using a single technology tool. In another example, a large

Wall Street �nancial services company recently discussed how it repeatedly tests employee adherence to corporate email standards. One key policy is that employees

never open e-mail attachments from an unknown source; during its last test, however, 65% of employees opened the attachments on the test phishing e-mail.

Inadequate monitoring. Uni�ed training as to why cybersecurity tools provide critical support, which parts of the data infrastructure represent the greatest risk to the business, and how to

mitigate those risks, is sorely lacking at many companies. There is a fundamental lack of risk analysis and assessment. Consider the examples above: Equifax, Starwood,

and Citrix all possessed and used best-in-class, comprehensive security information and event management (SIEM) monitoring tools. Yet in each case, the tools were

being directed at the wrong areas. Starwood’s breach was not noticed for over 1,300 days. Equifax’s monitoring was so bad that when Mandiant came in after the

breach, it was given inaccurate information. The Citrix incident is still so fresh that it will be several months before observers know what happened. Consider also

MyHeritage, which only found out about a breach of 93 million customer records when a university researcher sent a �le he found on the dark web, entitled

“MyHeritage �les”, to the MyHeritage chief information security of�cer (CISO) asking, “Is this yours?”

Lack of an incident response plan (IRP). This is primarily a problem in small and medium-sized companies. A company’s size does not obviate its risk, however; in the United States, FEMA reports that only

70% of cyberattacks are aimed at small and medium-sized companies, covering only 50% of the business landscape. According to FEMA and the National Cyber

Security Alliance, as much as 60% of small and medium-sized companies that are attacked go out of business after six months. In the United States in 2018, there were

approximately 217,000 businesses between $10 and $500 million of annual revenue; that means more than 65,000 businesses can be expected to fail due to economic

fallout from a cyberattack. Any time a business fails, there are ripple effects. For example, insurers have to pay out on claims, service companies lose clients, and real

estate companies lose rental income.

Lack of updating and testing of the IRP. Once organizations have an IRP, they tend to check off the compliance box, put the plan on a shelf, and don’t bother looking at it again until an incident occurs. This

leaves them with IRPs that do not re�ect the current business environment, responsibilities, regulatory requirements, or staff. Too often, companies end up with

multiple points of failure within their plans; by not testing their plans on a regular basis, organizations have no way to validate their ef�cacy or remediate their

weaknesses. Some businesses rely on cyberinsurance to mitigate the risk, but most cyberinsurance policies for small and medium-sized companies have a $250,000

coverage limit, while the median cost to a small company (25 employees or less) to recover from a cyberattack is $690,000. The median cost for a 100-employee

company is $1.1 million, and the costs rise geometrically from there.

The human factor underpins so much of the risk that enables cyberattacks and allows them to succeed, and it does so on both sides.

Lack of third-party support. The chief information/chief security of�cer of a large New York–based credit union once shared his nightmare experience with the author, describing the helpless

panic he felt in negotiating a deal with a world-class response vendor for the �rst 72 hours after a major data breach. He talked about his lack of leverage in negotiating

anything with the third party, all while his credit union was front-page news. It was the worst 72 hours of his career.

The reason for third-party support is to get an unbiased view of the problem. The biggest challenge an organization has during an incident is that too many staff

members operate under assumptions because they know the business and take logical shortcuts. Assumptions almost never match up to the reality, however,

exacerbating the impact of the incident. The third party does not know the business and therefore must follow the documentation and the de�ned processes.

Lack of audit involvement. Auditing is a key component in risk assessment and prevention. Without an independent set of eyes looking at the processes, policies, and governance issues, how can

an organization ever have a clear picture of the risk? How can auditors ever certify the overall business health of the client—a critical part of 10-Ks and annual reports

—without that understanding?

If this were primarily a technology problem, the big �nancial service �rms and technology �rms would never be hit, but they are. If this were only a technology problem,

cybercrime would not be growing as fast as it is. The human factor underpins so much of the risk that enables cyberattacks and allows them to succeed, and it does so

on both sides. Both the breachers and the company insiders whose mistakes enable successful breaches are human. There is an af�rmative obligation for everyone

responsible for cybersecurity (i.e., everyone) to recognize that ignoring the problem does not solve anything.

Solutions Companies must learn to live with cyberattacks as a normal part of daily business. That said, they can signi�cantly reduce the impact of these attacks and protect the

digital assets that have more value to businesses than cash in the bank. 



7/1/2021 Auditing for Cybersecurity Risk – The CPA Journal

https://www.cpajournal.com/2019/06/19/auditing-for-cybersecurity-risk/ 5/8

Focus on the business. Incident response is a vital requirement for corporate health. It is a function that should report to the CEO or the board and be treated as a primary �duciary

responsibility by the board and executive team. Cybersecurity should be viewed as a business issue, not a technology issue, and every part of the business should be on

the same page. Auditors need to call this out.

Understand the risks. Auditors should ask clients, “Where is your most critical data?” If management is not able to answer that question simply, that’s a problem. In addition, auditors should

ask about the IRP, password controls, regulatory impacts, and cybersecurity framework assessments such as National Institute of Standards and Technology (NIST) SP

800-53 or NIST SP 800-171. Auditors should understand the entire governance framework in use and assist by bringing in the right third-party resources to do the

work.

Audit to ensure adequate resourcing. An incident response team, when properly constructed, serves the needs of the business. To do that, the team must have stakeholders and representatives from all

parts of the business. In addition, there should never be a single point of failure in any aspect of incident response. The only way to get organizations to understand the

impact of these risks is to provide training.

Update understanding of the risks. Assess the risk of the client’s environment on a regular basis. Identify the risks and look closely at which risks are most critical. An easy decision is to get rid of

passwords; as currently constructed, password controls are a failure. Bill Burr, a manager at the NIST who wrote the password primer in 2003 that recommended

many of the rules now in use, concedes that he was wrong and that the current paradigm actually increases risk. Instead, some form of multifactor authentication

should be mandatory, such as a gold-chip ID card (e.g., PIV, PIVI, or RapidGate) tied to a registered device, such as the user’s cellphone.

Patch security flaws in a timely fashion. Yes, there is much regression testing that needs to be done, and one patch can sometimes break production applications. But consider that the

NonPetya/WannaCry(pt) day-zero patch was released in March 2017, and companies waited between 3 and 18 months to patch for it, at a cost of over $10 billion

worldwide. The more than $348 million lost at Reckitt-Benckiser alone is far greater than the cost of a short-term production failure.

Implement more active and effective monitoring. Once an organization understands the risks, it can effectively deploy the tools to better monitor risk areas. Furthermore, best practices dictate that an organization

should have a prede�ned plan for periodic security framework assessments. This means using the best third-party tools available to do a deep scan of the entire

enterprise. Whether done annually, biannually, quarterly, or continuously, know the timeframes. With a cross-industry average of approximately 220 days between a

breach and its discovery, make an informed decision on how long the company can afford to leave an incident undiscovered.

There should never be a single point of failure in any aspect of incident response.

Audit the IRP. If one does not exist, raise it as an audit exception. Ensure that the IRP is fully cross-functional, with multiple resources from each of the following:

The executive suite

HR

Legal/compliance/audit

Business side

Customer service

IT and IS

Service desk

Security incident response team (SIRT)

Marketing and communications

Make sure to include links to shareholders, the board, and investors. Empower the plan to get in front of bad news, as opposed to responding to the �urry of media

requests. A key goal of the IRP is to make sure all parts of the organization are speaking with a single voice. Do not devolve into a blame game; work the problem

instead.

Update and test the IRP regularly. Businesses are not static, and the IRP should always re�ect the business. Build in the appropriate collaboration tools to support updates to the plan at least once a

year. When testing the plan, try to make it fail—far more can be learned from plan failures than from a smooth, no-issue test. The goal is not to assign blame; the goal is

to �nd any embedded weaknesses and remediate them quickly. When the real event occurs, a tested and updated plan will always assist in recovering faster and at a

far lower cost than otherwise.

Perform a physical audit. The number of password violations in any organization is staggering. Flag them.

Obtain proper third-party support.























7/1/2021 Auditing for Cybersecurity Risk – The CPA Journal

https://www.cpajournal.com/2019/06/19/auditing-for-cybersecurity-risk/ 6/8

Establish a retainer agreement with one or more forensic or incident response consultants. Having an independent, objective view is a critical element in developing a

complete picture of the incident. Work with the third-party vendor to conduct an annual security audit.

Cybersecurity must be part of the fabric of any business, and auditing can facilitate this. Ultimately, effective cybersecurity is about taking �duciary responsibility.

Steven Wertheim is president of SonMax Consultants Inc., Marlboro, N.J.

FAMILY OFFICE RESOURCES (HTTPS://WWW.CPAJOURNAL.COM/2019/06/18/FAMILY-OFFICE-RESOURCES/)

MACHINE LEARNING IN AUDITING (HTTPS://WWW.CPAJOURNAL.COM/2019/06/19/MACHINE-LEARNING-IN-AUDITING/) 

TAGS: cybersecurity (https://www.cpajournal.com/tag/cybersecurity/) risk (https://www.cpajournal.com/tag/risk/)

cybercrime (https://www.cpajournal.com/tag/cybercrime/) security (https://www.cpajournal.com/tag/security/)

cyber attack (https://www.cpajournal.com/tag/cyber-attack/)

RELATED POSTS

1/hedges-

GN CURRENCY–

M/2021/06/21/HEDGES- RRENCY-

TS/)

(https://www.cpajournal.com/2021/06/18/successful-

remote-work-arrangements-for-

�nance-teams/)

SUCCESSFUL REMOTE WORK ARRANGEMENTS FOR… (HTTPS://WWW.CPAJOURNAL.COM/2021/06/18/SUCCESSFUL- REMOTE-WORK-ARRANGEMENTS-FOR-FINANCE-TEAMS/)

(https://www.cpajournal.com/2021/06/17/cpaj-

news-briefs-fasb-aicpa-iasb-2/)

CPAJ NEWS BRIEFS: FASB, AICPA,… (HTTPS://WWW.CPAJOURNAL.COM/2021/06/17/CPAJ- NEWS-BRIEFS-FASB-AICPA-IASB-2/)

(https://www.cpajournal.com/2021/06/17/when-

will-we-be-able-to-breathe-in-

accounting-2/)

ICYMI | WHEN WILL WE… (HTTPS://WWW.CPAJOURNAL.COM/2021/06/17/WHEN- WILL-WE-BE-ABLE-TO-BREATHE-IN-ACCOUNTING-2/)

(https://www.cpajournal.com/2021/06/16/conduct

single-audits-during-covid-19/)

CONDUCTING SINGLE AUDITS DURING COV (HTTPS://WWW.CPAJOURNAL.COM/2021/ SINGLE-AUDITS-DURING-COVID-19/)

(https://w

exodus-f

19/)

THE EXO (HTTPS EXODUS





<a rel='nofollow' target='_blank' href='https://www.cpajournal.com/2021/06/15/the-exodus-from-new-york-due

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.