How Auditors Assess Cyber Risks

KPM A&A Update link to blog.

19 Mar How Auditors Assess Cyber Risks

Data security is a critical part of the audit risk assessment. If your financial statements are audited, your audit team will tailor their procedures to answer critical questions about cyber risks and the effectiveness of your internal controls. While conducting fieldwork, they will assess how your practices measure up and whether your company has weaknesses that may require additional inquiry, testing, and disclosure.

Is cybersecurity a priority?
Most companies today view cybersecurity as a business problem, not just as an information technology (IT) issue. During the audit process, it is important to identify the ‘crown jewels’ of your company’s data assets, and then consider how your management team evaluates, manages, and responds to cyber risks and cybersecurity incidents.

People are often the weakest link in cybersecurity. So, auditors will evaluate your company’s training, awareness, and accountability policies to ensure that sensitive data is kept safe. Those policies may need to be regularly updated as 1) hackers get more sophisticated and find new ways of breaking into systems and 2) your business environment changes.

For example, remote working arrangements during the COVID-19 pandemic have resulted in new risks as employees access data from less-secure home networks. So, companies may need to modify their practices to maintain effective data security.

Auditors also consider the tone at the top of your organization. Cybersecurity should be integrated into an organization’s values and goals. Responsibility should not fall solely in the hands of your company’s IT department. After all, if your company cannot keep its intellectual property and customers safe, its ability to operate will ultimately be diminished over the long run.

What is important to investors and lenders?
To date, the Public Company Accounting Oversight Board has not found any material misstatements on a public company’s financial statements as a result of a cybersecurity breach. So, stakeholders generally have confidence in the ability of auditors to evaluate and identify cyber risks.

However, audit committees and other external stakeholders recognize that there is a risk that future cyberattacks may affect financial reporting. They also expect auditors to actively communicate about cybersecurity measures and the costs associated with breaches. The full cost of a data breach — including response and reputational damage — may not always be apparent. Financial statement disclosures should be as accurate, timely, and comprehensive as possible.

An Agile Approach
Many traditional audit risks — such as supply chain and related party risks — tend to be fairly constant and predictable over time. But cyber risks are constantly evolving. We have experience evaluating and disclosing data security practices. Each accounting period, our audit team will take a fresh look your company’s cyber risks in today’s marketplace and modify our audit procedures as necessary. We can also help get your policies and procedures back on track if they have not kept up with the times.