Is cybersecurity not part of internal controls for financial reporting?

Marie Pupecki Date published: Aug 20, 24

You may remember that back in 2020 SolarWinds Corporation had undetected malicious code “SUNBURST” embedded in their software that they then unknowingly distributed to approximately 18,000 clients, including many government agencies. The SEC had filed their complaint back in October 2023 alleging that both the Chief Information Security Officer (CISO) and the company misled investors regarding weak cybersecurity practices and known risks. The SEC also alleged that the company had deficient cybersecurity access controls and, as a result, had failed to maintain a system of internal accounting controls. It was the first case of the SEC charging a CISO individually and I wrote about it in From CISO to Boardroom: Navigating the risks and responsibilities in cybersecurity oversight.

Internal controls and legal outcomes

In July 2024, the court threw out the claim that SolarWinds and their CISO failed to maintain the systems of internal accounting controls as required by Exchange Act Section 13(b). The statute defines internal accounting controls as those designed to provide reasonable assurance that transactions are recorded correctly to prepare financial statements in accordance with GAAP. The court found that the internal accounting controls are only applicable to those controls related to financial accounting, not all internal systems of control, and thus cybersecurity controls are outside the scope of the statute.

The court also dismissed the SEC’s claim that SolarWinds failed to maintain disclosure controls and procedures that would ensure that management made timely and accurate disclosures related to material cybersecurity risks and incidents. The court stated that the SEC failed to prove there were deficient disclosure controls. In addition, the court dismissed the charges based upon inadequate risk disclosures in the company’s filings. The court also dismissed the securities fraud claim against the CISO based upon his public statements that had claimed high cybersecurity standards. The court called those statements “non-actionable corporate puffery.”  There are certainly valid arguments supporting not being too specific about your cybersecurity risks but is that really an area where we think it is okay for companies to exaggerate?

Internal controls in the current landscape

Ideagen Audit Analytics just completed our report on Internal Controls - SOX 404 disclosures. In this report we aggregate all the management reports and auditor attestation reports for Internal Controls over Financial Reporting (ICFR) for fiscal year (FY) 2023. Information Technology was in the top five for internal control issues leading to an adverse (not effective) internal control report. Overall, it was the third most cited reason.  In the auditor’s reports it was #2 and in management-only reports it was #5.

These are rankings based upon the number of times it was cited as a material weakness or significant control deficiency leading to not effective ICFR. Any first-year auditor can tell you that access controls are a main control in information technology, as well as testing operational and network security. They ensure that only authorized personnel have access to specific systems and detect unauthorized access including external intrusions. Any intrusion into a company’s IT environment will generally put all internal systems at risk, including the accounting system.  It therefore raises an interesting debate as to how cybersecurity could not be part of the internal controls in financial reporting.

Explore Ideagen Audit Analytics

Find out more about internal controls over financial reporting with Ideagen.

Find out more