top of page
Writer's pictureWis AU

Don't Overlook Cybersecurity Risks: What Auditors Consider and How Impact Financial Reports



Since September last year, cybersecurity incidents are reported by some of Australia’s largest companies, including Optus, Medibank Private Ltd, more recently Latitude Group Holdings and IPH Ltd.


How could cybersecurity risks impact the financial reports?

Cybersecurity riskscan affect both the integrity and reliability of financial information, creating risks of material misstatement, which the external auditor needs to assess.

Cybersecurity risks can have a pervasive effect on general information technology (IT) controls, as well as IT application controls, and consequently may undermine the effectiveness of internal control systems and processes. This affects the reliability of the financial information used in the preparation of financial reports.

To assist auditors in considering the direct and indirect effects of cybersecurity risks, the Australian Auditing and Assurance Standards Board (AUASB) has published AUASB bulletin: The consideration of cyber security risks in an audit of a financial report.


According to the AUASB, cyber breaches can have the following direct and indirect effects on a financial report:


  • Recognition of provisions or disclosure of contingent liabilities as a result of a data breach: This may be the result of fines or penalties from regulators as well as the possibility of legal action from affected parties where sensitive data has been lost or leaked.

  • Change in the fair value of assets as a result of a cyber incident: When a particular industry is targeted, there may be a hesitancy to transact with entities within that industry.

  • Impairment of assets due to decreased operating cash flows as a result of a cyber-attack: Where an attack has shut down operations for a significant period of time, or where an attack has significantly damaged the organisation’s brand.


IT security controls auditors can look to implement:

· Formal IT security policy

· Formal incident response plan

· Security awareness training

· Password lengths of eight or more characters

· Two-factor authentication

· Network firewall

· Intrusion prevention system

· Website filtering solution

· Hard disk encryption for laptops

· Anti-virus software for all PCs and servers

· Quarterly OS patching for servers

· Automatic OS patching for PCs

· Daily data back-up

· Cyber insurance


Ref:

bottom of page