Read Richard Chambers' Latest Blog:
When the SEC Speaks About Cybersecurity, We'd All Better Listen
In his blog, Richard Chambers, CIA, QIAL, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession. Here's an excerpt from his latest blog:
I often find myself talking with reporters about internal audit's role regarding risks, particularly cybersecurity. Recently, a reporter asked me about a new U.S. Securities and Exchange Commission (SEC) investigative report, "Cyber-Related Frauds Perpetrated Against Public Companies." The report describes investigations at nine publicly traded companies that were victims of cyber fraud.
In each case studied by the SEC, employees were tricked into sending large sums to bank accounts controlled by fraudsters. Some of the scams continued for months, and often they were detected only after intervention by law enforcement or other outside parties. The nine companies wired a total of nearly $100 million to the criminals, most of which was unrecoverable, according to the SEC.
As a result of its investigation, the SEC cautioned public companies to consider cyber threats when implementing internal accounting controls. It's good advice. But as internal auditors, we know that cybersecurity preparedness is not just an issue when implementing accounting controls. It is a vitally important facet of risk management every day, in every part of the organizations we serve.