For every type of organization, large or small, digitalization is gaining importance. As a result, dependence on correctly functioning IT systems is increasing. An essential part of the annual audit therefore concerns an analysis of possible IT risks, and the extent to which the company manages these risks. Within the IT landscape, cyber risks are becoming more prevalent as cybercriminals strike more frequently. From a virus to a hack, from ransomware or a DDoS attack to employees being tricked via phishing into sharing information about the organization or user data: the intensity, scale and professionalism of cybercriminals have increased significantly in recent years.
Research shows that executives and supervisory directors list cybercrime in the top-five relevant risks for their companies. The damage that cybercrime can do to your organization can be enormous, in a wide range of areas. You can no longer help customers, money is gone, company data is out on the street. You can no longer access crucial systems, the financial damage is incalculable, and your company's reputation also takes a hit. Cybercrime therefore also has a direct impact on the annual accounts: after all, their basis consists of figures that have been digitally processed and stored, and which are therefore at constant risk of being hacked from the outside. Cybercrime therefore directly affects the integrity of those figures.
Requirements from supervisory authorities
Not only from executives and commissioners, but also from governments and regulators, there is an increasing focus on the resilience of organizations against cybercrime, in terms of protecting both the interests of organizations and the interests of society. For instance, DNB requires organizations to have their security in order, and also to test it regularly (or have it tested) – and more laws and regulations are coming. Back in 2016, the EU introduced the NIS1 (Network and Information Systems) Directive, aimed at large companies and institutions with essential functions for society, such as suppliers of electricity, water and networks. They were required to take information security measures to increase their cyber resilience. In 2023, with NIS2, new European legislation will arrive that stipulates this for all sectors; compliance monitoring will most likely follow from 2025.
Sectors have also been working hard for years to manage cyber risks. In 2018, DNB started the TIBER-NL framework (an abbreviation for ‘Threat Intelligence-Based Ethical Red-Teaming’) for financial institutions. In 2023, DORA – the European Digital Operational Resilience Act – will come into force, imposing stricter minimum standards in terms of cybersecurity on financial institutions. The healthcare sector has also adopted these basic principles from the financial sector in the ZORRO framework (which stands for ‘Zorg Red-Teaming Resilience Oefeningen’), with the aim of structurally increasing the cybersecurity and resilience of healthcare institutions, including by periodically undergoing controlled realistic cyberattacks.
Our approach
For us as auditors, recognizing all possible forms of cybercrime risk is an essential part of auditing financial statements. We first identify all possible cyber risks surrounding the preparation of the annual financial statements. Then we get an impression of the management measures the organization itself has put in place to mitigate cyber risks. Not only do we analyze existing control measures, but our own cybersecurity specialists also test them thoroughly, for instance, with a penetration test or a crisis simulation. Because testing is better than relying on what has been described on paper.
In these tests, we check all phases of a cyber incident. So: do the current cybersecurity measures adequately keep hackers out? How do you detect them once they are in? How do you then get them out again? And how do you know they have actually left for good after intervention, so that no residual damage can occur?
This gives us a good idea of how robust the control measures are in practice. For example, whether the organization's most valuable data (the ‘crown jewels’) are well protected. Whether it is possible to break into financial records or manipulate data. Whether a hacker can send out unseen transactions and thus enrich himself. How material the cyber damage could be. In short, whether management has been able to prepare the financial statements based on reliable data.
Optimal resilience
Based on our checks of an organization's existing IT risk and control framework, we make ‘customized’ security recommendations where necessary. Through our way of auditing, we make directors and supervisors aware of potential cyber risks, provide feedback on organizational resilience to those risks, and provide insight into how that relates to the preparation of reliable annual figures. Finally, we include our work in our audit report, informing not only management and supervisory directors but also all other stakeholders of the company.
This kind of cyber audit gives organizations insight into whether they are adequately protecting their business-critical assets, ensuring the continuity of their processes after any cyberattack, and the extent to which they can adapt to rapidly changing cyber risks and regulations.