In addition to the training I lead on SOX, I also mentor a few individuals and their organizations. One called to tell me that their external auditor had insisted that they upgrade their SOX scope to include far more on cybersecurity.
He had previously attended my class and knew to push back, requiring the auditor to explain why this was necessary since the company’s assessment (agreed by the auditor in prior years) was that the risk of a material error or omission from a breach was less than reasonably possible.
The auditor said that it was a requirement from the PCAOB!
Now I was 99% certain this was incorrect, so I had the caller tell the auditor to show him where the PCAOB had made this requirement.
The auditor gave him a link to an announcement by the PCAOB that they were going to host a roundtable on cyber!
The company was able to persuade the auditor that nothing had changed. The risk assessment they had performed was adequate and no change in scope was required.
XX
That is the key: you only need to include controls in scope to address the risk of a material error or omission in the filed financial statements.
While cyber is a serious risk to the business, it is unusual for it to be a significant risk to the integrity of the filed financial statements.
In the SOX context, ‘significant’ means that…
