September 10, 2018
Published: Chartered Accountants Worldwide
The global interest in cybersecurity is growing. As we move into the cyber age, technology has become a huge part of both our everyday lives and today’s business environment, as more and more businesses increase their online presence and digital exposure by leveraging technology for almost every aspect of their business. But just as technology presents opportunities to many businesses, it also presents threats and challenges. Over the years, cyber attacks have continued to occur, escalating in frequency, severity and impact. These incidents have impacted every industry from financial services to retailers, entertainment and healthcare providers.
Undeniably, cyber attacks can have a huge impact on businesses. Given the changes in the business landscape and the hype over cybersecurity, it is worthwhile to explore whether financial statements auditors need to consider the cybersecurity risk of their clients.
Cybersecurity risk: an essential audit consideration
Perhaps due to its constantly evolving nature, cybersecurity risk remains complex and abstract to many. There may also be a perception that cybersecurity risk is not relevant to small businesses, hence, cybersecurity risk may not have been considered and addressed in all financial statements audits. But let us think about this: risk assessment is a crucial part of audit planning and auditors are required under the auditing standards to obtain an understanding of business risks that may result in risks of material misstatement of the financial statements. Just as auditors would consider an entity’s business risks in a financial statements audit, cybersecurity risk is an equally important risk area that cannot be ignored. Perhaps even more so, given the broad extent to which cyber attacks can cause fundamental enterprise-wide damage to organisations, and for some attacks, even a huge impact to the financial statements. Cybersecurity risk is hence an essential consideration in any financial statements audit.
Cybersecurity risk can affect many different areas of a business. For financial statements audit, the auditor only needs to consider the risks that could impact the financial statements and the entity’s assets. It would not encompass a comprehensive evaluation of cybersecurity risk and controls across the entity’s entire IT environment. For example, an online retailer experienced a cyber attack to its online retail platform, resulting in customers being unable to place online orders for a short period of time. Noting that the retailer has yet to increase protection of its system, the auditor may assess the possibility of another cybersecurity breach as higher. However, this represents a business risk to the retailer, with an opportunity cost of lost revenue when the system is down rather than a direct impact to the financials of the entity. On the other hand, if the online retail system is connected to the entity’s system that stores its confidential data and information, an attack like this can also expose the entity to other potential vulnerabilities. This may then require further assessment by the auditor.
Just as auditors would consider an entity’s business risks in a financial statements audit, cybersecurity risk is an equally important risk area that cannot be ignored.
Cybersecurity risk is relevant to almost every entity
For an entity operating with a traditional business model with no online presence, intuitively, one may think that cybersecurity risk does not apply. But this cannot be further from the truth. Unless the entity runs entirely on manual processes without any technology intervention or Internet connectivity, cybersecurity risk will come into play albeit in varying degrees. A small mom-and-pop provision shop, for instance, could be using a point-of-sales system and technology to monitor its inventories and hence, is also exposed to cybersecurity risk.
While most of the reported cyber attacks affected big businesses, small businesses also suffer from cyber attacks even though these may be less reported. For small businesses, the likelihood of experiencing cyber attacks is just as high if not higher, as their defences are typically less sophisticated and easier to penetrate. In fact, the impact could be more devastating or it may even go undetected. While larger businesses may have the resources to recover from the attacks, the chances of making a full recovery for smaller business may be much lower. Potentially, it could even put them out of business. Cybersecurity risk consideration is hence relevant to almost every entity, be it big or small, and with or without an online retail market.
As part of understanding an entity’s objectives, strategies, operations and risks, auditors would be able to identify the related business risks that may give rise to risks of material misstatements of the financial statements. Depending on the entity, cybersecurity risk may or may not be one of such risks. In the previous example of the provision shop, cybersecurity risk is unlikely to be a key risk area identified by the auditor as part of risk assessment, unless an actual cyber breach has occurred. In comparison with another example – a corporation adopting new-age digital technologies – cybersecurity risk would likely be one of the key risk areas. Therefore, auditors need to have a good understanding of the entity’s business and its IT environment, and determine the relevance of cybersecurity risk to the audit. Whether it is a provision shop or a corporation using the latest technologies in all aspects of its business, it would still be necessary to demonstrate that this has been considered and assessed.
Changes in the risk environment and the ways in which businesses operate also mean that business risks do not remain constant. In one year, cybersecurity risk may not have been identified as a key business risk that may result in risks of material misstatement, but this does not mean that the same goes for the next year. Take the example of a brick-and-mortar retail shop selling clothes which switches to online retail – the extent of exposure to cybersecurity risk would have changed with the change in its business model; it is hence important that cybersecurity risk be assessed from year to year.
Cybersecurity risk consideration is … relevant to almost every entity, be it big or small, and with or without an online retail market.
Effects of cyber attacks: more than what you think
Cybersecurity risks are broad and connected. The impact of cyber incidents may not be isolated or contained within single systems or networks, hence creating potential systemic risks. Pigeon-holing cybersecurity risk as merely IT risks also makes it difficult to recognise the full business impact of security breaches. The potential costs to an entity of a successful cyber attack can include loss of intellectual property, theft of confidential information, breach of customer data privacy, reputational damage, service and business disruption, damage to physical infrastructure (example, corrupted servers), alteration to financial records and transaction logs as well as the huge costs in response to the attack, such as lawsuits and settlements, regulatory inquiries, and more.
While not all the earlier cyber incidents mentioned appear to have a direct impact on the financial statements or the entity’s assets, incidents that relate to unauthorised access to financial reporting applications, data and digital assets recorded on the balance sheet clearly would. Even where the cyber incident does not directly impact the financial reporting applications and data, such as the common attacks involving theft of customer data, the auditor would still have to consider, among others:
– Remediation costs that the entity would have to incur, such as costs to repair the system damage, and compensation offered to customers to maintain business relationships;
– Regulatory inquiries and penalties for breaching data privacy;
– Potential lawsuits from affected customers and associated legal fees;
– Reputation and brand damage, and its impact to revenue, value of inventories, intangibles (impairment issues);
– Going concern issues.
Hence, when a cyber attack does occur, it is unlikely to be business as usual, either for the entity or the auditor, unless it is clearly insignificant and isolated.
No cybersecurity risk identified = no breaches?
Cybersecurity risk may not have been identified as a key risk area by the auditor as part of risk assessment, but this does not necessarily mean that no breach has occurred. Auditors should still maintain their professional scepticism when carrying out their audit as there could be events or conditions that may indicate a possible breach. Some businesses with weak IT programmes and controls may not even realise that they have been the subject of a breach. Auditors should hence conduct their audit with a mindset that recognises the possibility that an actual cyber attack may have happened. Through the performance of the usual audit procedures, it is still possible to identify such cyber incidents.
Let us assume that a traditional manufacturing company has no online presence. The auditor had performed the risk assessment and did not identify cybersecurity risk as a key risk area that might give rise to material misstatements of the financial statements. Accordingly, the auditor obtained an understanding, designed and performed testing over the relevant IT general controls. IT specialists were not engaged to perform additional work on cybersecurity testing. During the course of the audit, while performing testing of the revenue accounts, the auditor noted exceptions to the norm. Upon enquiries and further investigations, the entity then discovered that it had been the subject of a cyber attack which deleted some of its sales transactions. Without appropriate data backups and recovery contingency plans, the entity might not be able to present complete and accurate financial data.
Financial statements auditors do have a part to play
Financial statements auditors are not IT experts who can perform more sophisticated and detailed cybersecurity testing, which requires a special set of skills. However, financial statements auditors should consider and assess cybersecurity risk as part of risk assessment for every audit, as well as the possibility that breaches may have occurred. The conclusion may be that cybersecurity risk is not a key risk area that requires special audit attention, but the assessment is still required nonetheless to make such a determination.
Where cybersecurity risk has been identified as a key risk area that may give rise to material misstatements of the financial statements, the auditor should consider involving subject matter experts. Where a cyber incident has occurred, auditors would have to evaluate and understand the causes and determine whether additional audit procedures or an alteration in audit approach is necessary, evaluate the impact and severity of losses involved and the impact to the financial statements.