We have two clarifications and two updates to our March 17 blog post, which noted that customer data is an asset that is covered by the definition of internal control over financial reporting (ICFR) in Rule 13a-15(f) under the Exchange Act. First, there are many forms of customer data, and not all of those are assets. Since neither Section 13(b)(2)(B)(iii) nor Rule 13a-15(f) of the Exchange Act defines “asset,” however, it is possible that the term may include items that do not appear on a company’s balance sheet. Therefore, we think that it is incumbent on companies to analyze the various forms of customer data to determine whether they are assets within the scope of ICFR. Second, just because a company concludes that controls over assets are necessary for purposes of ICFR does not mean that deficient controls could constitute a material weakness. A material weakness relates to controls necessary to the preparation of financial statements. Assets that are not on a company’s balance sheet would not have controls that would affect the preparation of financial statements.
The updates to our March 17 blog are that the SEC held a cybersecurity roundtable on March 26 and PCAOB Board Member Steven B. Harris gave a speech in which he discussed cybersecurity issues. The participants in the roundtable discussed cybersecurity and the issues and challenges it raises for market participants and public companies. For more information, please see our Securities LawFlash, which describes the roundtable and recommends various additional steps that companies should take to address the risks of cyber attacks. And, in Harris’s March 20 speech, he indicated that he “support[s] the Board’s focus on the role of the auditor with respect to cybersecurity and ha[s] suggested the Board consider forming an internal task force on the subject or issuing an audit alert related to cybersecurity risks and their potential impact on audits.”