The importance of cyber risk assessment has increased manifold due to the pandemic. Some of the cyber threats which has developed over the last two years during the pandemic were the ransomware where the attack has increased by 150% due to the "Work from home" culture. Since the culture of the work from home encourages the individual to perform activities from home using their own network and internet connection. The transfer of data happens through the open source resulting in the risk of data sniffing. The individual who is performing at home may not use the firewall or suitable anti-virus software which may raise question regarding the data authenticity in the premises or during transfer of the data.
The recent development is the cloud environment where the data is hosted in the cloud instead of the security of the company owned server. The advantages of using of cloud environment are manifold but there are also risk regarding the over reliance on the third party for managing the data of the organization.
As an auditor, it becomes pertinent to consider all the risks specifically arising due to the new way of working i.,e Working from home culture during the planning of the audit as per the Auditing Standard SA 300 - Planning an Audit of Financial Statements and SA 315 - Identifying and Assessing the risks of material misstatement through understanding the entity and its environment.
During the planning of an audit as per SA 300, the auditor mustdevelop an audit plan and overall audit strategy to considering the risk as per SA 315 and response to the audit risk as per SA 330 - Auditor's response to the assessed risk. The audit planning needs to address the cyber security risks which has arisen due to the change of the working environment. It is also important as the audit staff may be visiting the client location and perform the audit assignment from home. Thus, the evidence to be obtained during the audit procedures and other activities like Inventory physical verification, physical asset verification or physical verification of invoices may not be performed by the audit staff while working from home.
As per the standard 315, the auditor should obtain understanding of the entity's operation, ownership and governance structure, the way the entity is structured and financed. In the current scenario of the pandemic the way the operations are carried out has gone through a significant change. The work is generally done from home thus the work may be stored in the employee's personal laptop or the organization laptop which may be connected through the network of the employee if the company does not have arrangements for secured VPN. In case the company has made suitable arrangements in the cloud environment, the work is stored in the cloud environment, it is important to have the risk assessment of the third party as per SA 402 Audit considerations relating to an entity using a service organization.
While using the work of the service organization, i,.e in the current scenario the work of the cloud service provider it is important to understand the Internal controls of the service organization specifically regarding the security of the data. To maintain the data in the cloud, it is important to comply with certain laws and regulations which may be national laws and international laws. In most of the cases, the organization (which is taking the services of the third party) or the auditor is not aware of the regulatory compliances with respect to maintaining the cloud space or the regulations regarding the storing of the data in the cloud. There is a high risk of the data disruption at any given point of time. During the risk assessment procedure as per SA 315, the auditor should not only address the cyber risk of the organization subjected to the audit, but also the risk of using the services of third party.
One of the risks currentlycould be sharing of the organization data with third party by the service organization. If the organization has not entered into non-Disclosure agreement or other appropriate arrangements with the service organization, the auditor needs to consider the risks and the related controls to mitigate such risks.
The audit evidence which the auditor needs to obtain as per SA 500 Audit Evidencehas also undergone change as the audit may not be done from the premises of the organization, the auditor, and the auditee both might be working from home. Thus, one of the major audit pieces of evidence which is gathered through observation may not be obtained as both the parties are working virtually. The audit has the risk regarding the sufficiency and appropriateness of the audit evidence. The electronic evidence which needs to be gathered during the audit and the auditees who would authorize such evidence has to be taken into consideration during the audit planning.
Conclusion
New way of performing operations resulting due to the pandemic also requires the auditor to address new risks which has emerged due to new methodology of working and overall reliance on technology. Apart from the other risk of the organization or the audit risk, it has become pertinent for the auditors to consider the cyber risk. The auditor has to consider the cyber risk in the risk assessment procedure and also in the audit risk while obtaining audit evidence and ensure the sufficiency and appropriateness of the audit evidence.