2020 was a landmark year which has created many unprecedented changes in the lives around the world. It had disrupted lives / labour force, business operations, insolvency risks, resulted in inflation and supply chain. The pandemic has introduced us to new methodology of working by introducing a new concept of "Working from home". The introduction of new way of working has resulted in many cyber threats which the auditors need to address while doing the audit subsequent to 2020. High dependency on the internet specifically which are used in residence not having the requisite controls of the organization has increased the vulnerability of cyber attacks manifold.
The cyber risk has potential impact on the financial statement resulting in diminished cashflow, impairment of intellectual assets like patents or copyrights being violated, loss of revenue & market due to ransomware attacks, expenses incurred for investigation etc. While the audit of the financial statements the auditors cannot ignore the risk arising due to cyber attacks in the risk assessment as per the Auditing Standard 315 Identifying and assessing the risks of material misstatement through understanding the entity and its environment.
This article aids in providing to understand the cyber risk and the audit approach by the auditors to comply with SA 315.
Cyber Risks |
Audit approach |
Entity level |
|
The company may not appoint any responsible person to ensure the cyber security across the organization. |
• Obtain the organization chart of IT department • Ensure that CISO is appointment and check his roles and responsibilities • Ensure adequate segregation of duties |
Unpredictable IT environment for which controls may not be designed or implemented |
• Ensure that formal documented policies and procedures are documented covering all IT assets • These policies and procedures are regularly updated using version controls |
Risk of outdated regulatory and license compliance |
• Verification of checklist covering all the compliance requirement • Installation of only authorized software by the • company • Regular review of checking unlicensed software • In case of Working from home, insist on installation of license software by the organization |
Cyber Risk |
Audit Approach |
IT Asset Management |
|
Risk of unauthorized asset usage and intrusion |
• Check the list of all the IT assets (including the company assets and personal IT assets used by employees while working from home) • Segregation of company assets used by employees at home and personal assets used by employees |
Risk of redundant list of assets maintained |
• Ensure updating of IT assets on regular basis. • Obtain the physical verification report on regular basis. • In case of work from home environment, the pic of the asset containing the asset number can be obtained. |
Data Management |
|
The data may not be available in case of any failure to the server or the network |
• Check the data restoration policy of the company • Ensure that regular back up of the data are taken including the back up of the data from home. • The back up data are properly stored by a responsible person. • Regular testing of the data back up |
Unauthorized physical access to the data |
• Check for the restrictions of the server room • Check for the security of server room with CCTV, smoke detectors, Automatic fire suppression system etc |
Unauthorized logical access to the data |
• Check for the authorization list to the access of applications, operating systems, databases, network infrastructure. • Check for the mapping of the roles and the access provided • In case of working from home, check for the VPN privileges provided to the employees. |
Change Management |
; |
Due to the work from culture, the change with respect to the way the work is done may not be authorized by the process owner |
• Ensure that all the changes are made through proper authorization. Ideally through a "Change Request Form" • Ensure that changes made in the production environment should be tested and accepted. • Ensure that Segregation of duties is not compromised due the change introduced. |