In 2017, MacEwan University in Edmonton, Alta. was scammed out of $11.8 million in a cyberattack, perpetrated through a series of fraudulent emails in a practice known as “phishing.”
For accounting and financial executives, it was a cautionary tale about the ways in which cybersecurity has changed the role and responsibilities of the finance function. Though MacEwan appeared at first to lay the blame at junior staff in the accounts payable department, its vice-president of finance and administration left the university within weeks of the scandal to “pursue other opportunities.”
Clark Builders, an Edmonton-based construction company, had been a MacEwan vendor since 2003 and was owed a $9-million final payment on the construction of a building called Allard Hall. Employees in the accounts payable department received a series of emails requesting a change of banking information. The cybercriminals created a copycat Clark Builder website and convinced MacEwan staff to send payment to another bank account.
“This was not a sophisticated fraud,” says Bridget Noonan, a partner at Vancouver’s Clearline Consulting, which advises accounting firms. “They [MacEwan] were conducting business with a large entity [Clark] whose controls likely required timely follow-up on nonpayment of receivables as part of their own processes,” says Noonan. “If that call had not been made, we can only speculate the magnitude of payments which may have been issued.”
Professor Karim Jamal, chair of the department of operations and information systems at the University of Albert, agrees, saying the scam could have been easily prevented. “The people at the senior level in MacEwan were not paying attention, and their internal controls were very lax.”
MacEwan, according to the professor, “said junior-level staff got fooled. But they had no business processing the payment. It’s a managerial failure. It’s not a failure of the low-level staff.”
The MacEwan case illustrates how pervasive digitization has created myriad cybersecurity risks for finance teams. But the digital age is also changing the three traditional roles involved in financial governance: chief financial officer (or vice-president finance), audit committee and audit partner.
Chief financial officers
According to global management consulting firm McKinsey & Company, finance leaders are reporting new demands upon their time, including cybersecurity, in addition to traditional finance duties. Four in 10 CFOs are now spending most of their time on non-finance roles, with 38 per cent responsible for IT.
The shift reflects a growing awareness and acceptance by senior management and governance boards that cyberattacks and data breaches measurably impact the bottom line. Three months after the data breach at Equifax in the U.S., the company’s stock had fallen by 18 per cent. The company is still under a cloud of litigation that could affect its long-term share value.
Then there is the threat to intangible assets such as brand reputation. In 2017, global accounting giant Deloitte reported that it was the victim of a cyberattack that went undetected for months, after hackers found an administrative account that did not require two-step authentication. Ironically, cybersecurity is a major revenue driver for Deloitte, with annual revenue of $2.8 billion in 2016.
McKinsey found that the level of senior management engagement with cybersecurity varied dramatically.
“In some companies, the CISO [chief information security officer] meets the CEO every few weeks. Yet in others, the CISO has never met the CEO. In fact, the CISO may report to the chief technology officer, who reports to the chief information officer, who then reports to the CFO.”
As the corporate finance function has evolved, so too has the role of audit committees, with many parties asserting the need for audit committee oversight of cybersecurity.
“The audit committee, in its capacity of overseeing risk management activities and monitoring management’s policies and procedures, plays a significant strategic role in coordinating cyber risk initiatives and policies and confirming their efficacy,” stated Deloitte in its report, “Cybersecurity: The Changing Role of Audit Committee and Internal Audit.”
But Brian Hunt, the chief executive officer of Canada’s audit regulator, the Canadian Public Accountability Board, disagrees. A lot of audit committees, he contends, “are becoming risk and audit committees, especially cybersecurity risk. I think you have to ask if they really have the expertise. And one of the things I hear from audit committees is that they’re overburdened now.”
Nevertheless, in its report, Deloitte cites a study of global enterprise security governance practices conducted by the Carnegie Mellon University CyLab. “Forty-eight per cent of corporations surveyed reported having a board-level risk committee responsible for privacy and security risks, a dramatic increase from the eight per cent that reported having such a committee in 2008.”
While the internal audit function regularly reviews controls pertaining to cybersecurity, and should be up to date on cybersecurity risks and developments, a significant change may be coming for external auditors. In the U.S., auditors will be required to report “critical audit matters” in a phased-in approach, beginning with audits of fiscal years ending on or after June 30, 2019.
In Canada, public companies listed on the TSX will be required to report significant new information in audit reports likely as of December 2020, according to the Auditing and Assurance Standards Board. The new standard will significantly alter and expand the traditional auditor's report and may one day require standardized disclosure of cybersecurity risks.
External auditing can often be a valuable source of information on cybersecurity issues. According to Deloitte, “many firms have practices focused on evaluating and strengthening security controls and implementing programmes for enterprise risk management.” But in a world of pervasive digitization, auditors may sign off on cybersecurity assurance.
The shift in roles is already occurring, with many conglomerates, such as Pepsico, shifting IT under the finance function. The skills of accounting and finance professionals in financial data management are a natural fit for data security strategies. And the finance function is where traditionally strong frameworks of controls can mitigate internal risk – as long as the financial controls are in place to prevent scandals like the one that occurred at MacEwan University.