Over the last few years, there has been considerable integration of technology within the process by which entities operate, including increased reliance on internet connectivity. These changes have been accelerated by the impact of COVID-19 on the way businesses engage with staff, suppliers and customers. Remote working is widespread.
Whilst heightened online communication presents enormous opportunities, increased connectivity and reliance on the internet increases the risk of cyberattacks such as unauthorised access to information systems. Such attacks often result in loss of proprietary and sensitive information; manipulation and destruction of data, systems and networks; and even the harming of physical assets.
The Australian Cyber Security Centre (ACSC) reported that in the 2020/21 financial year, they received 67,500 cybercrime reports, equivalent to one report every 8 minutes [1]. Self-reported losses from cybercrime totalled more than $33 billion. Clearly, cybersecurity is a key issue for all businesses, however many still do not adequately consider this when assessing business risk.
For auditors, specific potential issues in relation to material misstatement of financial reports must be addressed. According to the AUASB, cyber breaches can have the following direct and indirect effects on a financial report:
- Recognition of provisions or disclosure of contingent liabilities as a result of a data breach: This may be the result of fines or penalties from regulators, as well as the possibility of legal action from affected parties where sensitive data has been lost or leaked.
- Change in the fair value of assets as a result of a cyber incident: When a particular industry is targeted, there may be a hesitancy to transact with entities within that industry.
- Impairment of assets due to decreased operating cash flows as a result of a cyber-attack: Where an attack has shut down operations for a significant period of time, or where an attack has significantly damaged the organisation’s brand.
- Implications for the organisation’s ability to continue as a going concern if its operations or reputation are severely affected.
A recent Auditing and Assurance Standards Board (AUASB) Bulletin ‘ The consideration of cyber security risks in an audit of a financial report, May 2021 [2]’, outlined the responsibilities of management and those charged with governance:
- Management is responsible for having a risk assessment process in place to identify risks such as cyber security and to implement and monitor internal controls to respond to those risks.
- The auditor’s overall objective is to obtain reasonable assurance that the financial report is free from material misstatement. This is done through:
- Identifying and assessing risks of material misstatement, whether due to fraud or error, based on an understanding of the entity and its environment in accordance with ASA 315 (Identifying and Assessing Risks of Material Misstatement through Understanding the Entity and Its Environment), and
- Designing and implementing responses to the assessed risks (in accordance with ASA 330 The Auditor’s Responses to Assessed Risks).
The auditor, as part of their risk assessment procedures, should consider the implications of cyber security on financial reporting. As they conduct the audit, they should remain alert to cyber events and their potential impact on the initial risk assessment performed.
General IT controls maintain the integrity and security of information and are relevant when considering cyber security. However, as an organisation’s operational and financial systems become more integrated, operational systems may also provide a point of access for attackers, which may not be considered as part of general IT controls. Depending on the specific circumstances of the entity, the auditor may already consider cyber security as part of their work around general IT controls.
The diagram below, from the AUASB Bulletin [2], illustrates how cybersecurity should be considered throughout the risk assessment process:
Next Steps
ASA 315 [3] has recently been updated to include more guidance on the consideration of risks associated with IT hardware, software and security systems (refer to Appendix 4 and Appendix 6 of the standard). Whilst the new standard is effective from financial reporting periods commencing 15 December 2021, it’s important that external auditors now engage in discussions with their clients surrounding these risks.
The AUASB has also established an advisory group to assist with monitoring and responding to the impact of technology on audit and assurance and plans to release a series of publications on topics, including assessing the integrity of data and assurance over cyber security controls.
The National Audits Group is currently reviewing the impact of the new ASA 315 Standard on auditing requirements and will be adopting a proactive approach with auditing staff and business clients in 2022.
If you’d like to discuss these issues further, please contact Danielle Nye at [email protected]
In our next blog, we’ll discuss the impact of technology and COVID-19 on remote auditing as a service to business clients.
References:
- ACSC Annual Cyber Threat Report 202-21
- AUASB – The Consideration of cyber security risks in an audit of a financial report
- ASA 315 -Identifying and assessing the risks of material misstatement
- ASIC Report 716 – Cyberresilience of firms in Australia’s financial markets
- Audit Training – Why It’s Important & What to Consider - 5 December 2022
- Is Remote Auditing Here To Stay? - 24 February 2022
- Cybersecurity and External Audits – Risk and Response - 19 January 2022