Viewing cybersecurity through a COSO lens

By Ken Tysiac, Editorial Director, Journal of Accountancy

Cybersecurity is a constant source of concern for businesses as high-profile breaches make headlines almost daily.

Nation states, organized crime, hacktivists, and even terrorists have demonstrated the ability to compromise technology and systems used by businesses as well as individuals.

A new report released Wednesday, COSO in the Cyber Age, describes how the popular internal control framework updated in 2013 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) can help organizations evaluate and manage cyberrisks.

Cybersecurity can be viewed through the lens of the principles of the COSO framework, according to the report, in some of the following ways:

Principle 6: Organizations specify objectives with sufficient clarity to enable the identification of risks relating to objectives. In applying this principle, management can determine the levels of risk tolerance acceptable to the organization and focus on protecting the most critical information systems.

Principle 7: The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed, and Principle 8: The organization considers the potential for fraud in assessing risks to the achievement of objectives. Senior management, business, and IT personnel evaluate risks in the application of these two principles. They must understand what information systems are valuable to potential cyberattackers and understand how these attacks are likely to occur.

Principle 9: The organization identifies and assesses changes that could significantly impact the system of internal control. Updating risk assessments on a continuous basis to reflect changes that could impact cyber controls is a key to applying this principle.

Principles 10, 11, and 12: In following these principles, the organization selects, develops, and deploys control activities. Careful design and implementation of appropriate controls—after consideration of likely attack methods used by hackers—can help fulfill these principles.

Principle 13: The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. Formally documenting information requirements—and the related risk analysis and response—can help make sure that processes and controls will be executed consistently.

Principle 14: The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. Effective communications will educate all personnel on their responsibilities, as well as those responsible for managing cyberrisks, and the board of directors.

The report also suggests that organizations should ask:

Can executive management articulate its cyberrisks and explain its approach and response to such risks?
“There is growing concern at all levels of industry about the challenges posed by cybercrime,” COSO Chairman Robert Hirth said in a news release. “This new guidance helps put organizations on the right path toward confronting and managing the frightening number of cyberattacks.”

COSO is a joint initiative of five private-sector organizations dedicated to providing thought leadership on enterprise risk management, internal control, and fraud deterrence. The AICPA is a member of COSO.