The question of auditor responsibility when it comes to cybersecurity

By Jessica Salerno, OSCPA senior content manager

As cyber security headaches make their way into everyday business tasks, financial professionals need to consider how these issues will change the way they work in the future.

“Cyber security is a hot topic going around right now and everyone is talking about the risk,” said Dana Howell, CPA, director at Sikich. “But no one is talking individually about how it applies to employee benefit plans.”

Howell will present “Lost in Cyber Space: Cybersecurity Risk to Plans” at the Employee Benefit Plan Audit Conference. Retirement plans are attractive targets for hackers because they have the type of vital information hackers would need, like social security numbers and date of birth.

Howell said the presentation will look at cybersecurity from the audit and IT perspective, as she will be presenting with someone from Sikich’s IT group.

“As auditors the expectation of what we are responsible for continue to increase, while our fees stay the same,” Howell said. “It’s evolving and this is a newer area. What are our responsibilities as auditors? Do we have any responsibility relating to evaluating the cybersecurity of a plan?”

The way auditors work has become much more fluid, Howell said, like working on your laptop at the airport in between clients. A passerby could look over your shoulder and see sensitive data, compromising someone else’s personal information.

Howell said the number of people who have access to a plan also can be a concern when it comes to fiduciary responsibility.

“It’s going to continue to grow momentum,” she said. “The medical profession is the only other area where this occurs. People’s date of birth and social security numbers are how you verify coverage. There are controls in place to regulate that information. But in benefit plans there is very similar information that’s going between the plan’s sponsor, CPA, custodian and the auditor, and there are zero rules in place.”

It’s important to be a resource for clients and help them navigate these situations, Howell said.

“I’m all about being proactive versus reactive,” she said. “It’s not our job as auditors to tell clients ‘You should be doing this,’ but I also want to give them the tools they need so if they are proactive they can put things in place. It’s a lot easier to put a plan in place now than to clean up a mess later.”

Seats are limited- register now for the conference to hear from Howell and more expert speakers on the issue affecting employee benefit plans.