A financial statement audit focuses on providing an opinion on the fair presentation of the financial statements. The auditor should be aware of the risk of cyber incidents specifically in the financial reporting process, that may affect the numbers in the financial statements.
Typically an IT system would encompass the perimeter network, internal network like LAN or WAN, operating system, database and an application like SAP or Oracle. A financial statement audit does not focus on all data and systems of a company and therefore an auditor will not evaluate the entire IT platform and do penetration tests, etc to mitigate cyber risks. The responsibility for mitigating risks including Cyber, is of the management and the buck stops at the board of directors door.
However, the auditor will focus on data and systems that are relevant to preparing financial statements. Therefore, understanding data and systems relevant to financial reporting and addressing the IT risks affecting the said process is key to a good audit. The auditor should use people knowledgeable in IT to test access controls relevant to financial reporting and reduce the risk of significant impact to the financial statement from cyber incidents. In a financial statement audit, access controls relating to applications, databases and operating systems would be relevant. Controls at the internal and perimeter network layers are unlikely to be the focus of the auditor, but may need to understand if the management has adequately mitigated risks at this level.
If a cyber incident comes to the attention of the auditor, he has the responsibility to:
* Understand the incident
* Evaluate its impact on the audit approach
* Evaluate management’s assessment of the impact on the financial statements
* Communicate findings to management and audit committee
* Assess impact on audit report or disclosures.
It is important to understand that an auditor does not provide assurance on the adequacy of controls to address cyber risks or the company’s ability to withstand a cyber incident. The audit committee should know to obtain assurance on cyber security under a separate engagement.