In a week where we had 560 financial control, ITGC, audit and information security experts gather for our webcast on the “perfect storm for ICFR”, this is a timely adjunct to that discussion.
The last 12 months or so have amplified risk awareness across the business.
We all understand we have transformed our operating models to support the necessity to “work from anywhere” and for “touchless interaction” with everyone, including customers. We have radically reshaped our processes, working practices, polices and technology capabilities.
Risks are reshaping too.
Cybersecurity is now reported to be “Top-of-Mind” for Audit Committees and CFOs.
Information is extremely valuable to hackers. IT systems are even more vulnerable to attacks due to the increasing number of entry points across diverse systems, in large part due to remote working and the disruptions to supply chains.
Whilst these risks are real, they are typically not SOX risks.
This fact doesn’t make them any less important, but clarity is a prerequisite for effective action.
In the words of one of our favorite expert commentators on governance, risk management and audit;
“The key: you only need to include controls in scope to address the risk of a material error or omission in the filed financial statements. While cyber is a serious risk to the business, it is unusual for it to be a significant risk to the integrity of the filed financial statements.”
If you are getting bombarded with questions on this topic from a SOX perspective, I would encourage you to read Norman Marks’ observations. They don’t take the problem away, but hopefully help us to respond better.
“There should be an objective risk assessment of how a breach could affect the business and the likelihood that it could be significant”.
You can read Norman’s post with his 8 recommendations at the end here ..