How auditors can assess cyber security risks

1 Oct 2021

5 min read time

At a glance

With businesses making a quick shift to a virtual operating environment, their vulnerability to cyber attacks has increased.
Data manipulation, misappropriation of funds or assets and leaks of confidential information are among the greatest threats to businesses.
The Australian Auditing and Assurance Standards Board has recently released guides to assist auditors in assessing the direct and indirect effects of cybersecurity risks.

By Dr Jana Schmitz

Cyber attacks by criminal entities, many located overseas, have become a real and present threat to businesses in Australia.

The latest Annual Cyber Threat Report from the Australian Cyber Security Centre (ACSC), covering the period between July 2019 and July 2020, concludes that the most common type of cybersecurity incident is “malicious email” (27 per cent), including phishing and spear-phishing.

The second most common incident is a “compromised system” attack (24.4 per cent), an incident where an adversary accesses or modifies a network, account, database or website without authorisation.

Inadequate systems and controls can expose entities to data manipulation, misappropriation of funds or assets, breaches of privacy and leaks of confidential information, which in turn may lead to fines, litigation and reputational damage.

CPA Library

Contemporary issues in audit management and forensic accounting. Read now.

The impact of cyber breaches

Cyber attacks can affect both the integrity and reliability of financial information, creating risks of material misstatement, which the external auditor needs to assess.

Cybersecurity risks can have a pervasive effect on general information technology (IT) controls, as well as IT application controls, and consequently may undermine the effectiveness of internal control systems and processes. This affects the reliability of the financial information used in the preparation of financial reports.

To assist auditors in considering the direct and indirect effects of cybersecurity risks, the Australian Auditing and Assurance Standards Board (AUASB) has published AUASB bulletin: The consideration of cyber security risks in an audit of a financial report.

According to the AUASB, cyber breaches can have the following direct and indirect effects on a financial report:

Recognition of provisions or disclosure of contingent liabilities as a result of a data breach: This may be the result of fines or penalties from regulators as well as the possibility of legal action from affected parties where sensitive data has been lost or leaked.

Change in the fair value of assets as a result of a cyber incident: When a particular industry is targeted, there may be a hesitancy to transact with entities within that industry.

Impairment of assets due to decreased operating cash flows as a result of a cyber attack: Where an attack has shut down operations for a significant period of time, or where an attack has significantly damaged the organisation’s brand.

The Bulletin also covers overall implications for the organisation’s ability to continue as a going concern if its operations or reputation are severely affected.

The Bulletin emphasises that, in relation to cybersecurity, it is the auditor’s responsibility to consider the risk of material misstatement in the financial report as part of risk assessment procedures and to respond appropriately where a risk of material misstatement is identified.

Executives in management and governance remain responsible for having a risk assessment process in place to identify risks, including cyber risks, and to implement and monitor internal controls to respond to those risks.

Auditing standards require the auditor to understand how the organisation uses IT and the impact of IT on the financial report.

This includes an understanding of the extent of the organisation’s automated controls as they relate to financial reporting, including the general IT controls that are important to the effective operation of those automated controls, and the reliability of data and reports produced by the company and used in the financial reporting process.

It is important to remember that an organisation’s overall IT platform includes systems and related data that not only address financial reporting needs, but also operational and compliance needs of the entire organisation.

The auditor’s primary focus with respect to cybersecurity risks should be on the systems and controls that ensure the security of data relevant to the preparation of the financial report.

CPA Australia resource

Access the CPA Australia policy pages

Mitigating the risk of cyber attacks may involve companies upgrading their existing cybersecurity systems and processes.

Having remote access controls will typically require periodic changes, new or incremental virtual private network controls, instituting multi-factor authentication and regular spyware updates.

In addition, companies need to ensure that appropriate cybersecurity controls are in place when new technology, whether hardware or software, is deployed. This has been especially critical during the pandemic, as many employees have been accessing corporate systems remotely.

The regulator has already sprung into action, with the Australian Prudential Regulation Authority (APRA) introducing Prudential Standard CPS 234 Information Security and issuing cybersecurity guidance for the financial services industry.

APRA has advised that it will be asking boards of financial institutions to engage an external audit firm to conduct a thorough review of its CPS 234 compliance and report back to both APRA and the board.

The purpose of the exercise is to identify compliance issues and ensure they are rectified as quickly as possible. It is also intended as a message to business about the seriousness of cyber threats and the need for greater accountability.