“Nope, that’s not my problem” – said every privately held company in February 2018 when Securities and Exchange Commision (SEC) released the “Commission Statement and Guidance on Public Company Cybersecurity Disclosures.” However, in reality, audit requirements for private companies in the United States predominantly align with many of the requirements public companies have. Therefore, while ignorance may mean bliss when you hear your pet knock something over in the kitchen, it doesn’t when it comes to cybersecurity and audit practices.
Auditing Standards for Private Companies
What is the Financial Accounting Standards Board (FASB)
Founded in 1973, FASB is an independent, not-for-profit organiation that establishes accounting and reporting standards recognized by the American Institute of Certified Public Accountants (AICPA). Recognized by the SEC, FASB sets the accounting standard for public companies in the United States.
What are the Generally Accepted Accounting Principles (GAAP)
GAAP principles focus on determining your assets and liabilities by looking at variety of factors that impact your financial reporting and health.
Economic Entity Assumption
Business transactions differ between a sole proproetorship and business owner personal transactions. Under accounting principles, you “gotta keep ’em separated.”
Monetary Unit Assumption
All money is measured in US dollars without accounting for inflation.
Time Period Assumption
All financial statements need to clearly label a start month, day, and year and an end month, day, and year.
Based on the amount of money spent at the time you originally obtain an asset, this does not reflect increase or decrease in value.
Full Disclosure Principle
Financial statements provided to investors or lenders must include a description of potential impacts, such as lawsuits or data breaches, to your financial stability.
Going Concern Principle
Accountants will determine whether or not your business will be able to continue to function based on comparing your assets to your liabilities.
You need to match expenses to revenues. You need to align employee wages for when the employees worked not when you paid them. Bonuses, for example, need to be reported for the year you promised them, not the following year when you pay them out.
Revenue Recognition Principle
This aligns to the matching principle since you need to report revenue for the time period when you complete a project rather than when you get paid. Revenue includes the promise of a payment even when the payment has yet to be made.
As part of financial reporting, you can choose to expense an entire technology purchase for the year in which you buy it rather than split that cost up for the number of years you use the product. It also means that dollars are rounded to the nearest whole number rather than using fractions.
This principle requires you to account for a net loss or gain based on potential outcomes. For cybersecurity, this is a primary financial reporting concern since data breaches remain a “when” rather than “if” question. However, part of the accounting principle includes likelihood of the cost so maintaining a security-first cybersecurity posture helps strengthen your stance.
When to apply GAAP
As a privately held company, it’s easy to assume that your financial reporting requirements are different from those used by publicly held companies. However, many startups and other privately held companies look to investors or financial services institutions to enable their businesses.
If you’re one of these types of companies, you’re going to need to prove your financial stability before someone gives you a loan or investment. As part of that, GAAP-based financial reporting provides confidence in your business.
How cybersecurity applies to audited financial statements
So, you’ve decided to apply GAAP to your organization and now you need to understand how you translate your cybersecurity risks into lines on your financial statements.
SEC Cybersecurity Guidande
For public entities, the February 2018 SEC interpretation on cybersecurity disclosures meant that any data breaches need to be reported as soon as possible. The SEC noted specifically that companies’ “exposure to and reliance on networked systems and the Internet have increased, the attendant risks and frequency of cybersecurity incidents also have increased.”
As such, public entities need to disclose risks associated with cybersecurity and cybersecurity incidents. For private companies, the guidance gives you a roadmap for how to assess cybersecurity risks as part of your evaluation of potential losses.
A strong security-first approach lessens your likelihood of breach meaning that your financial statements can reflect assurance over data protection. This enables you to provide a financial services institution or investor confidence over your assets.
FASB Accounting Standards Codification 606
Although originally released in May 2014, all nonpublic entities who use GAAP principles must comply by December 31, 2019. Titled “Revenue from Contracts with Customers,” the guidance provides insight for recognizing revenue. Revenue recognition requires you to account for evidence of an arrangement (often a service-level agreement), delivery of services, fixed price, and ability to collect.
In cybersecurity, vendors may work with their customers for more than a single year. Because of this, the accounting standards require you to take a princples-based review of the amount and timing of revenue. Where previously you were able to spread out revenue for long-term contracts, you may no longer be able to.
While this may not sound cybersecurity related, your current data collection and information technology systems may be inadequate for assessing these new costs. With that in mind, you may need to engage additional vendors which then requires additional cybersecurity monitoring to maintain your current cybersecurity stance.
FASB Accounting Standards Update 2018-15
The August 2018 Accounting Standards Update (ASU) focused on how you report cloud computing agreements. Under the new ASU, you can spread out the costs associated integration and testing over time to reflect changes in the market and security threats. For example, ASU 2018-15 addresses:
- Accounting for costs of reengineering activities, which often are associated with new or upgraded software applications.
As part of your vendor management program, you’re ensuring that the software maintains cybersecurity levels that align to your risk tolerance. The new accounting standard allows you to incorporate re-engineering or upgrades as part of your financial reporting.
How ZenGRC Enables Private Companies to Meet Audit Standards
ZenGRC provides task prioritization that help let you track compliance activities that reduce vulnerabilities by scheduling reviews and monitoring their completion dates.
As a single-source-of-information, the platform stores and supports remediation activities to prove your continuous compliance and continuous auditing approach to information security.
By using our intuitive interface, you can easily upload frameworks, objectives, and controls while also managing changes to those controls across a variety of frameworks.
For more information on how ZenGRC can enable your compliance efforts, contact us for a demo.