I recently interviewed a Big 4 partner who made the comment that some people view an IT breach as evidence of a weakness in internal controls. The question arises then as to whether that implies a weakness in internal controls over financial reporting. Some people take the perspective that the auditor is only responsible for ICFR that affects the general ledger. This gets a bit muddy when customer records, which may be part of the revenue system are involved. Another argument is that these are related to operations, not ICFR (internal controls over financial reporting).
Discuss briefly what happened at equifax and if the events had any financial statement or ICFR ramifications. Outside of the financial statements, was there a material impact on market values? You may with to review the company’s SEC filings to better think through the financial statement effects. (Relevant documents to answer this question are the GAO report).
So from the perspective of an investor of Equifax with an understanding of the rules of what the auditor’s responsibilities are, what is your view about the role financial statement auditors should play with respect to security breaches? Does providing IT related non-audit services (as EY did in the case of Equifax) change the investor’s perception of the responsibilities of the financial statement auditor? Would your perspective be different if you were a Big 4 audit partner? Justify your answers based on what the audit standards say.
Sample Solution
