Blogs

Beyond Accounting: Cybersecurity and the Future of Internal Controls

By Professionals Group posted 03-25-2025 11:00 AM

  

By Matt Kelly, Radical Compliance

For more than 20 years now, internal audit and corporate accounting teams have strived to build effective internal accounting controls — necessary for strong financial reporting, Sarbanes-Oxley compliance, anti-fraud programs, and more. 

 

Along the way, however, a pattern cropped up that hasn’t yet received the attention it deserves: internal accounting controls have converged with internal cybersecurity controls. 

For example, recall the CrowdStrike disaster from 2024, when businesses around the world came to a screeching halt thanks to a flawed software update that cybersecurity firm CrowdStrike pushed to its clients. That flawed patch crashed critical IT systems those companies used to run their business, causing billions of dollars in damage. It was exactly the sort of disaster that keeps CEOs and boards awake at night.

Now appreciate all that from an internal controls perspective: Thousands of companies had IT systems that allowed a third party to push a software update into the live environment without proper testing. That is a terrible practice for IT general controls. 

So in theory, every publicly traded company that fell victim to the CrowdStrike disaster should have disclosed a material weakness in its IT general controls when the next quarterly filing rolled around, and every audit firm inspecting those ITGCs should have issued some sort of qualified opinion. Right?

Spoiler: that did not happen. Instead, victim companies reported as usual that they had maintained effective internal control over financial reporting, even though the CrowdStrike disaster demonstrated that those same ITGCs weren’t working as necessary for cybersecurity purposes. In numerous cases, the ensuing cyber disaster cost companies a material amount of money to clean up.

This is the new challenge that internal audit, cybersecurity, and SOX compliance teams all need to address somehow. The IT general controls you use for effective financial reporting are now also the same controls you use for a host of other purposes, such as compliance with data privacy laws or maintaining good cyber defenses. 

So you need a more holistic approach to the design, testing, and documentation of those controls, to stay ahead of the risks (compliance or otherwise) that your company has.

 

The Regulatory Perspective on Cybersecurity Controls

Internal audit and SOX compliance teams worry foremost about the Securities and Exchange Commission, and what it has to say about internal controls. The history here is mixed, and needs attention.

Most notably, the SEC filed a lawsuit in 2023 against IT services firm SolarWinds, which had its own flawed software patch disaster in 2020. In that instance, Russian operatives implanted spyware into SolarWinds’ Orion software product, which SolarWinds then pushed out to corporate and government customers, who then ended up implementing the spyware as part of their routine upgrade. 

The SEC argued that SolarWinds’ poor cybersecurity was an example of poor internal accounting controls. After all, those controls are supposed to assure that access to company assets only happens according to management’s authorization. Since management never authorized the Russian hackers to have access to SolarWinds’ systems, the SEC said, that meant the internal accounting controls were ineffective.

That argument was always a stretch, and in 2024 a federal judge threw out that part of the case — but the judge did allow another part of the lawsuit about misleading disclosures to proceed. SolarWinds had published a “Security Statement” promising that it took secure software development seriously, but the SEC uncovered numerous internal employee emails talking about how bad they believed the company’s software practices were; therefore, the SEC said, SolarWinds’ disclosures to investors were misleading. That part of the case is still pending.

Think about what this means: your company’s cybersecurity practices (or the lack thereof) could qualify as SOX compliance issues — and we’re not just talking about access controls to your general ledger. Even your broader, fundamental approach to security and privacy could cause a SOX compliance headache. 

Moreover, the SEC isn’t the only regulator with an interest in cybersecurity. State attorneys general have broad discretion to take enforcement against companies for data privacy breaches. The U.S. Federal Trade Commission can do the same for misleading promises about cybersecurity and data protection that companies make to consumers. If you do business globally, any number of European nations can take enforcement against you under the General Data Protection Regulation. 

In other words, there’s little point in trying to disentangle the SOX compliance risk of internal accounting controls from the operational risk of internal cybersecurity controls. The controls themselves are one in the same — same password policies, same walk-throughs, same access controls testing, same documentation chores — even though they serve multiple purposes. 

That’s how internal controls need to be treated today. So how can you do that? 

 

Think About Better Audit Capabilities

Audit teams should always be thinking about capabilities you’ll need to address the risk, rather than activities you should undertake to fulfill a compliance obligation. That’s especially true here, since the distinction between a SOX compliance risk and a cybersecurity operational risk is essentially meaningless. 

In that case, we can reverse-engineer a few capabilities that your audit team will need to meet the moment.

  • Regulatory change management. Even modestly sized businesses now have numerous cybersecurity and privacy obligations to meet, from SOX to GDPR, HIPAA standards for healthcare, New York’s state rules for financial firms, and others. An ability to track which rules apply to you, and how those rules do and don’t overlap, will be crucial.
  • Controls mapping. You’ll then need to map your controls to those regulatory requirements — and ideally, to identify controls that can satisfy multiple regulatory obligations at once. 
  • Risk assessment and controls design. These lines between different types of risk will keep falling away, which means audit teams will need to work more closely with First- and Second-Line business functions to devise newer, more efficient controls. Some of that might depend on good communications technology, but you’ll also need to “know the business,” as the cliché goes, and have good interpersonal skills.
  • Documentation. Effective documentation of controls, testing, and the like has always been important for compliance, but it will now become more important, since the value of effective controls will go nowhere but up.

 

Ultimately, this is about melding SOX compliance and cybersecurity into one system of internal control for risk. That’s going to challenge lots of preconceived notions about roles and responsibilities for risk oversight, and require creative thinking about audit technology, controls design, team management, and more.

On the far side of things, however, the result could be (if you do it right) a more integrated, streamlined approach to risk management. Given the complexity of today’s risk environment, that’s a journey worth taking.

 

About Matt Kelly

Matt Kelly is an independent compliance consultant specializing in corporate compliance, governance, and risk management. He shares insights on business issues on his blog, Radical Compliance, and is a frequent speaker on compliance, governance, and risk topics.

Kelly was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and named to Ethisphere's "Most Influential in Business Ethics" list in 2011 and 2013. He served as editor of Compliance Week from 2006 to 2015.

Based in Boston, Mass., Kelly can be contacted at mkelly@RadicalCompliance.com.

 


#SECPro
#SOXPro
#AI
#Audit
#CrossFunctionalTeams
#Cybersecurity
#EthicsCulture
#IntegratedReporting
#Legal
#ProcessImprovement
#Technology,Software,Vendors
#SECEnforcement
#Compliance
#ControlsManagement
#InternalAudit
#RiskManagement
#SOX

2 comments
128 views

Related Content

Permalink

Comments

Grant Ostler
04-01-2025 08:34 AM

Matt, thanks for your insights.

Most of the big firms plus the IIA and other organizations publish various reports each year showing the top risks facing organizations, and for several years cyber has been a top 3 risk in most of them (top of the list more often than not).

One of the challenges is that in most of the organizations the majority of internal audit resources are committed to SOX 404 and similar compliance activities that there is little left for higher order risks like cyber. I understand how challenging the conversations can be with executive teams and audit committees to get additional resources to focus on these risks (I had them many times during my 20 years as a CAE).

It would be great to get some dialog here from internal audit leaders on how they are addressing this challenge to implementing an audit plan that appropriately addresses significant risks like cyber. 

Dale Karasek
03-26-2025 02:19 PM

Was there a SOC report?