Audits Home in on Cybersecurity

In 2018, U.S. organizations that suffered a data breach lost an average of $7.91 million as a result. That’s the highest average organizational cost of all the countries and regions covered in the 2018 Cost of a Data Breach Study by IBM and independent research firm Ponemon Institute. Malicious or criminal attacks were the source of more than half of those breaches, rather than system glitches and human errors.

With so much at stake, it’s no surprise that auditors consider these issues when conducting their audit risk assessments. This audit season, prepare to answer questions about cybersecurity and the effectiveness of your company’s internal controls against cyberthreats.

Inspections of public companies

In recent years, Public Company Accounting Oversight Board (PCAOB) inspectors have interviewed auditors of companies that have experienced a breach into their computer systems to find out how the auditors and their firms responded to the incidents. They report that auditors today are increasingly focused on matters related to cybersecurity.

Audit firms have provided varying levels of guidance, both when assessing risk at the start of an engagement and when uncovering a cybersecurity incident that occurred during audit fieldwork or the period under audit.

“Many of the firms are actually factoring cybersecurity issues into their risk assessment at this point in time, and there is a real focus on developing real understanding about cybersecurity incidents,” reported William Powers, deputy director for technology in the PCAOB’s Division of Registration and Inspections.

Audit inquiries

Possible questions that auditors might ask during fieldwork include:

  • How does management identify and prioritize cyberrisks?
  • What kind of internal controls has management established to safeguard digital assets and sensitive data (such as formal policies and procedures, employee training and the use of security analytics)?
  • How does management monitor internal controls to ensure effective operation?
  • Does management have a detailed breach response plan?
  • If a breach occurred during the accounting period, how did management respond and how much did it cost?
  • Has the company purchased cyber liability and breach response insurance?

The PCAOB hasn’t yet found any material misstatements on a public company’s financial statements as a result of a cybersecurity breach. But there’s a risk that future attacks may affect financial reporting. So, the PCAOB is planning to expand its inspection program to explore what auditors are doing to protect clients’ data and stakeholder data.

Universal risk factor

PCAOB inspectors target audits of public companies. But private companies can also be victims of cyberattacks — and the effects may be even more devastating for companies with fewer resources to absorb the losses and assign dedicated staff to respond to breaches.

The increasing frequency and severity of cyberattacks underscores the need for auditors of entities of all sizes to update their procedures. It’s our job to ask key questions about cyberrisks and the effectiveness of your internal controls. The answers, in turn, can help you formulate more effective governance strategies.

© 2019

Businesses Aren’t Immune to Tax Identity Theft

Tax identity theft may seem like a problem only for individual taxpayers. But, according to the IRS, increasingly businesses are also becoming victims. And identity thieves have become more sophisticated, knowing filing practices, the tax code and the best ways to get valuable data.

How it works

In tax identity theft, a taxpayer’s identifying information (such as Social Security number) is used to fraudulently obtain a refund or commit other crimes. Business tax identity theft occurs when a criminal uses the identifying information of a business to obtain tax benefits or to enable individual tax identity theft schemes.

For example, a thief could use an Employer Identification Number (EIN) to file a fraudulent business tax return and claim a refund. Or a fraudster may report income and withholding for fake employees on false W-2 forms. Then, he or she can file fraudulent individual tax returns for these “employees” to claim refunds.

The consequences can include significant dollar amounts, lost time sorting out the mess and damage to your reputation.

Red flags

There are some red flags that indicate possible tax identity theft. For example, your business’s identity may have been compromised if:

  • Your business doesn’t receive expected or routine mailings from the IRS,
  • You receive an IRS notice that doesn’t relate to anything your business submitted, that’s about fictitious employees or that’s related to a defunct, closed or dormant business after all account balances have been paid,
  • The IRS rejects an e-filed return or an extension-to-file request, saying it already has a return with that identification number — or the IRS accepts it as an amended return,
  • You receive an IRS letter stating that more than one tax return has been filed in your business’s name, or
  • You receive a notice from the IRS that you have a balance due when you haven’t yet filed a return.

Keep in mind, though, that some of these could be the result of a simple error, such as an inadvertent transposition of numbers. Nevertheless, you should contact the IRS immediately if you receive any notices or letters from the agency that you believe might indicate that someone has fraudulently used your Employer Identification Number.

Prevention tips

Businesses should take steps such as the following to protect their own information as well as that of their employees:

  • Provide training to accounting, human resources and other employees to educate them on the latest tax fraud schemes and how to spot phishing emails.
  • Use secure methods to send W-2 forms to employees.
  • Implement risk management strategies designed to flag suspicious communications.

Of course identity theft can go beyond tax identity theft, so be sure to have a comprehensive plan in place to protect the data of your business, your employees and your customers. If you’re concerned your business has become a victim, or you have questions about prevention, please contact us.

© 2018