Over the last few years, there has been considerable integration of technology within the process by which entities operate, including increased reliance on internet connectivity. These changes have been accelerated by the impact of COVID-19 on the way businesses engage with staff, suppliers and customers. Remote working is widespread.
Whilst heightened online communication presents enormous opportunities, increased connectivity and reliance on the internet increases the risk of cyberattacks such as unauthorised access to information systems. Such attacks often result in loss of proprietary and sensitive information; manipulation and destruction of data, systems and networks; and even the harming of physical assets.
The Australian Cyber Security Centre (ACSC) reported that in the 2020/21 financial year, they received 67,500 cybercrime reports, equivalent to one report every 8 minutes [1]. Self-reported losses from cybercrime totalled more than $33 billion. Clearly, cybersecurity is a key issue for all businesses, however many still do not adequately consider this when assessing business risk.
For auditors, specific potential issues in relation to material misstatement of financial reports must be addressed. According to the AUASB, cyber breaches can have the following direct and indirect effects on a financial report:
- Recognition of provisions or disclosure of contingent liabilities as a result of a data breach: This may be the result of fines or penalties from regulators, as well as the possibility of legal action from affected parties where sensitive data has been lost or leaked.
- Change in the fair value of assets as a result of a cyber incident: When a particular industry is targeted, there may be a hesitancy to transact with entities within that industry.
- Impairment of assets due to decreased operating cash flows as a result of a cyber-attack: Where an attack has shut down operations for a significant period of time, or where an attack has significantly damaged the organisation’s brand.
- Implications for the organisation’s ability to continue as a going concern if its operations or reputation are severely affected.
A recent Auditing and Assurance Standards Board (AUASB) Bulletin ‘ The consideration of cyber security risks in an audit of a financial report, May 2021 [2]’, outlined the responsibilities of management and those charged with governance:
- Management is responsible for having a risk assessment process in place to identify risks such as cyber security and to implement and monitor internal controls to respond to those risks.
- The auditor’s overall objective is to obtain reasonable assurance that the financial report is free from material misstatement. This is done through:
- Identifying and assessing risks of material misstatement, whether due to fraud or error, based on an understanding of the entity and its environment in accordance with ASA 315 (Identifying and Assessing Risks of Material Misstatement through Understanding the Entity and Its Environment), and
- Designing and implementing responses to the assessed risks (in accordance with ASA 330 The Auditor’s Responses to Assessed Risks).
The auditor, as part of their risk assessment procedures, should consider the implications of cyber security on financial reporting. As they conduct the audit, they should remain alert to cyber events and their potential impact on the initial risk assessment performed.
General IT controls maintain the integrity and security of information and are relevant when considering cyber security. However, as an organisation’s operational and financial systems become more integrated, operational systems may also provide a point of access for attackers, which may not be considered as part of general IT controls. Depending on the specific circumstances of the entity, the auditor may already consider cyber security as part of their work around general IT controls.
The diagram below, from the AUASB Bulletin [2], illustrates how cybersecurity should be considered throughout the risk assessment process:
Next Steps
ASA 315 [3] has recently been updated to include more guidance on the consideration of risks associated with IT hardware, software and security systems (refer to Appendix 4 and Appendix 6 of the standard). Whilst the new standard is effective from financial reporting periods commencing 15 December 2021, it’s important that external auditors now engage in discussions with their clients surrounding these risks.
The AUASB has also established an advisory group to assist with monitoring and responding to the impact of technology on audit and assurance and plans to release a series of publications on topics, including assessing the integrity of data and assurance over cyber security controls.
The National Audits Group is currently reviewing the impact of the new ASA 315 Standard on auditing requirements and will be adopting a proactive approach with auditing staff and business clients in 2022.
If you’d like to discuss these issues further, please contact Danielle Nye at danielle@audits.com.au
In our next blog, we’ll discuss the impact of technology and COVID-19 on remote auditing as a service to business clients.
References:
- ACSC Annual Cyber Threat Report 202-21
- AUASB – The Consideration of cyber security risks in an audit of a financial report
- ASA 315 -Identifying and assessing the risks of material misstatement
- ASIC Report 716 – Cyberresilience of firms in Australia’s financial markets
Danielle joined National Audits Group in 2014 as a Senior Auditor and swiftly made her mark, being promoted to a manager role and then recognised as an Associate of the firm at only 28 years old. More recently, Danielle was appointed an Executive Director and Shareholder of National Audits Group, effective as of 1 July 2021.
Danielle is committed to the continuous improvement of the technical resources, tools, and templates used within National Audits Group and the profession as a whole. This commitment is driven by her passion for the profession and working closely with likeminded individuals who share her passion.
As such, Danielle prides herself on being our dedicated in-house Technical and Standards Specialist as well as our Training and Development Facilitator.
With Danielle’s experience, passion, approach and dedicated team of professionals, you will find that she is perfectly positioned to fulfill your engagements and ultimately provide your organisation with the services it requires.
Danielle forged her professional career by consistently demonstrating her passion and enthusiasm for the audit profession while completing her university studies, obtaining her Graduate Diploma, and becoming a Registered Company Auditor with the Australian Securities Investment Commission.
In addition to the abovementioned roles, Danielle has served as a volunteer Committee Member of the NSW Riverina and Southern Tablelands Group of the Chartered Accountants Australian and New Zealand (CAANZ) since 2018.
- Audit Training – Why It’s Important & What to Consider - 5 December 2022
- Is Remote Auditing Here To Stay? - 24 February 2022
- Cybersecurity and External Audits – Risk and Response - 19 January 2022
