The CAQ's newly-released "Cybersecurity Risk Management Oversight: A Tool for Board Members" provides a daunting - but constructive - list of questions for directors to engage with management and the outside (financial statement) auditor on cybersecurity in connection with effecting the board's oversight responsibilities.
The questions are grouped across these four categories:
- Understanding how the outside auditor considers cybersecurity risk
- Understanding the role of management and responsibilities of the outside auditor related to cybersecurity disclosures
- Understanding management’s approach to cybersecurity risk management
- Understanding how CPA firms can assist boards of directors in their cybersecurity oversight
The thought-provoking questions may be equally instructive for executives charged with cybersecurity risk management responsibilities, as well as those tasked with facilitating and documenting the board's oversight responsibilities.
The paper also includes key questions from the NACD's Director's Handbook on Cyber-Risk Oversight and references to additional resources from the CAQ, AICPA, and others.
See also our prior report: "AICPA Cybersecurity Reporting Framework: Consider These Upsides," and an abundance of additional resources - including board oversight guidance - on our Cybersecurity page here.