In recent years, there has been a rapid increase in cyber-attacks across every industry. The frequency, severity, and impacts have been frightening for many, causing organizations to implement measures and controls to protect their critical IT systems and data. Unfortunately, even effective IT controls can be bypassed by hackers and rogue employees posing a serious risk to existing accounting and internal control.
With an increase in business process automation and growing reliance on digital data as the single source of truth, financial auditors are beginning to consider the relevance of cybersecurity risks in relation to the financial statement and annual reporting. This calls for a change in the approach to IT audits to include a risk-based cybersecurity assessment in the technical domain of their auditees.
We need to enhance the well-known "Understanding of IT" activities through reinforcement with "Understanding of Cyber", obtaining knowledge of how cyber security threats are identified and managed in the environment. This should focus on governance (e.g., who is steering/reporting and responsible for cyber security risks and measures) as well as processes (e.g., response to a cyber security incident) as well as having a technical focus (e.g., implemented security in IT-systems).
KPMG’s global Cyber in the Audit (CitA) methodology has been developed to manage the risks that threaten the confidentiality, integrity, and availability of data storage and processing facilities. Given the independent nature of audit engagements, it would be unethical to issue an opinion on the complexity of the client’s security posture. Rather, our CitA approach supports IT audits by testing the cyber security measures which detect and prevent the bypassing of IT Application Controls and General IT Controls.
Auditors need to consider several factors when performing a cyber risk assessment, including:
- Industry-specific threats - such as in healthcare, financial services, etc.
- 3rd party risks - including cloud computing, SAAS.
- The regulatory landscape - depending on the location of company assets and subsidiaries.
- Insider threats - including poor information security practices by employees, especially with remote working.
- Increased Automation - which may allow for loopholes in maker-checker controls, hacking, etc.
KPMG’s CitA methodology provides guidance on how to incorporate cybersecurity risk assessment into overall audit planning, as well as how to respond to identified cyber risks and incidents that have occurred that could impact the audit. This is achieved by determining the relevance of cyber security risks for the organization, existing cyber defense controls and their operating effectiveness, and possible breaches in the company’s IT environment.
It is worth mentioning that as much as the primary attention of the auditor should be the applications and systems that house financial statement related data, all systems in their vicinity should also be scoped into the CitA audit. The network perimeter and internal layers are typically the gateway of cyber-attacks, and these are often not scoped in the access control testing of IT Audits, as focus is typically on the application, database, and operating systems that directly affect the financial statements.
Hackers represent a severe threat to existing accounting and internal control systems as they have the potential to bypass any (effective) IT control measures. Financial auditors must consider these risks in connection to financial statements and annual reporting as our business operations become more automated and digital data becomes the single source of truth. As a result, IT auditors must adapt their technique to include fact-gathering in their auditees' technical cyber security area.
The results of a cyber risk assessment are aggregated and fed into the overall audit plan to determine the impact on the financial statement and internal controls. The choice of sampling or substantive testing of digitally sourced evidence from the breached systems depends on this impact analysis.
Finally, CitA procedures should be designed to address each organization’s unique IT landscape and regulatory requirements. Auditors should tailor discussions with management and the audit committee accordingly.