A collaborative approach to internal controls

Since financial data is a prime target for cyberattacks, strong internal controls are important for reliable and timely reporting. Organizations should establish structures that can continuously assess the impact of cyber threats on internal controls. CFOs and CISOs should focus on these five priorities.

1. Conduct an integrated risk assessment.

Joint risk assessments should thoroughly evaluate cyber risks relevant to internal control over financial reporting (ICFR). This includes analyzing both the likelihood and potential magnitude of threats that give rise to financial reporting risks. Integrating a recognized framework into your financial risk assessment process provides a structured approach, helping to align cybersecurity activities with ICFR obligations.

2. Establish effective internal controls to help mitigate risks.

Control weaknesses often stem from lapses in basic cyber hygiene. Identify and design internal controls that can adapt to changing cyber exposures. These might be driven by business transformations such as system integrations following an acquisition or major technology initiatives that expand the digital footprint. Maintaining scalable and responsive control coverage is imperative. High-risk systems, like externally facing payment platforms, should have more stringent safeguards than lower-risk systems such as internal applications storing publicly available information.

3. Assess internal controls.

Even strong controls require regular evaluation to stay ahead of evolving threats. Ask key questions across several areas.

• Identity and multi-factor authentication: Do we have a process to assess user identities and enforce multi-factor authentication (MFA) consistently across all externally facing ICFR systems?
• Privileged account management: Have we inventoried administrator and service accounts? Are there measures to restrict access like preventing clear text passwords and appropriately configuring remote access protocols?
• Endpoint detection and response: Are all endpoints tied to ICFR systems equipped with properly configured endpoint detection and response (EDR) solutions to detect malicious activity?
• Intrusion detection and monitoring: Is the network segmented to reduce exposure of ICFR systems? Are intrusion detection and security event information management systems effectively in place?
• Threat and vulnerability management: Are regular vulnerability scans and patching processes conducted? Is third-party risk included in these protocols?
• Supply chain and third parties: Have we assessed cyber threats in the supply chain? Have we clearly defined and tested internal control responsibilities with third-party cyber resilience partners, and have we tested those controls?
• Backup and recovery: Are we performing backups on a regular schedule? Are we conducting recoverability testing to confirm data can be restored promptly during an incident?

Strengthening internal controls is an ongoing effort. Continuous monitoring, with close collaboration between CFO and CISO teams, helps make sure that both financial reporting and cybersecurity measures remain effective over time.

4. Align financial reporting obligations with incident response and recovery plans.

A stronger incident response plan can be vital to maintain financial reporting integrity and enable swift recovery. CFOs often serve as the primary contacts for external auditors and stakeholders after an incident, so they should have access to accurate, timely information. By prioritizing financial reporting systems within response plans, your organization can confirm data remains reliable during crises. Integrating CFO and financial reporting functions into the incident response framework also helps streamline recovery efforts, while appropriate cyber insurance can offset incident-related costs and bolster overall resilience.

5. Communicate across functions.

Strong collaboration between finance and IT is vital. Regular communication between CFOs, CISOs and their teams can help facilitate business changes and evolving cyber threats are promptly reflected in internal control processes. A unified approach—one that analyzes technical incident details alongside their financial reporting impact— can enable you to more effectively determine disclosure requirements and maintain transparency with regulators and stakeholders.

Readiness today, security tomorrow

Embedding cybersecurity as both a technical requirement and a business priority creates a culture of shared accountability that can strengthen resilience against emerging threats. By streamlining internal controls, fostering clear communication and continuously assessing risks, your organization can effectively guard against cyber threats while safeguarding the integrity of financial reporting. Proactive readiness assessments should be conducted to measure preparedness against industry leading practices, to help identify gaps and to refine strategies before incidents occur. Through continuous evaluation and strategic alignment, CFOs and CISOs can drive greater trust and resilience in financial reporting across your organization.