1 June 2018 – The Institute of Singapore Chartered Accountants (ISCA) has launched a publication titled ‘Cybersecurity Risk Considerations in a Financial Statements Audit” to provide a guide for auditors on assessing cybersecurity risk in a financial statements audit. This is the first publication in Southeast Asia that provides guidance on cybersecurity risk considerations in a financial statements audit.
Cybersecurity risk is a business threat that has become increasingly common recently, posing immense challenges to entities in the current business environment. The severity and frequency of cyber attacks has continued to escalate over the years, such as the recent WannaCry cyberattack in 2017, which affected computers across 150 countries, with total financial damages estimated to amount to $4 billion[1]. As such, auditors will have to consider their client’s cybersecurity risk when planning and performing audit.
Produced by ISCA with contributions from PwC Singapore, “Cybersecurity Risk Considerations in a Financial Statements Audit” was launched today at the ISCA Practitioners Conference. The conference is organised by ISCA, with the Accounting and Corporate Regulatory Authority of Singapore (ACRA) and the Singapore Accountancy Commission (SAC) as Strategic Partners.
Mr Lee Fook Chiew, Chief Executive Officer, ISCA, said: “In today’s Digital Age, cybersecurity risk is one of the key threats to businesses. This publication provides financial statements auditors a guide in identifying and assessing cybersecurity risk, as well as the appropriate responses to the risks identified. With this guide, we aim to equip audit professionals with knowledge in an area that will grow increasingly important in the future economy.
According to PwC Singapore’s Digital Trust and Cyber leader, Tan Shong Ye, “Cybersecurity risk has become one of the top risks, identified by board directors, that could affect a company’sbusiness as well as financial statements. Cyber criminals have evolved from targeting computer systems and networks to breaching buildings, factories and safety controls systems through the embedded computer and communication chips. Increasingly, cyber risks, are becoming pervasive and are causing an impact on financial line items treatment. This would need to be considered when we perform financial statement audits.”
With different case studies to illustrate the diverse impact of a cyber attack on companies, the guidance demonstrates how cybersecurity threats and cyber attacks can impact financial reporting and hence its related audit. The publication also provides more insights on how auditors should take cybersecurity risk into account as part of risk assessment during audit planning. It provides the appropriate response to any risk identified or cyber incidents that have happened as well as those that were detected or suspected as a result of the audit. And it highlights the need for auditors to maintain their professional scepticism and be cognisant that breaches may have occurred but remained undetected.
Increasing Importance of Assessing Cybersecurity Risk
According to the publication, smaller businesses face just as much, if not higher risk of cyber attacks as compared to larger businesses, as they may lack the resources to have a robust infrastructure to fend off or detect these cyber attacks.
As seen in the WannaCry cyber attacks, vulnerable firms could face massive financial repercussions. Hence, it is important for auditors to consider cybersecurity risk in their assessment of all their client’s financial statements.