Cyber security risk assessment vital to any audit: Report

Auditors must always take cyber security risks into account even if the company under review has no online presence, according to a new report.

It added that number-crunchers should also be aware that breaches may have occurred yet remained undetected.

The report released yesterday by the Institute of Singapore Chartered Accountants (ISCA) is believed to be the first in South-east Asia to provide guidance on cyber security risk considerations in financial statements auditing.

Some businesses with weak IT programs and controls may not realise that they have been the subject of a cyber attack, warns the report, which was produced with contributions from PwC Singapore.

This means auditors should keep in mind that a cyber attack may have happened - regardless of past experiences with the company or assumptions about the company's cyber security defence abilities.

The report also pointed out that while it is not the auditor's responsibility to detect every cyber incident that results in changes to a company's financial records, robust audit procedures have a good chance of picking up unauthorised material changes.

Auditors should consider involving subject matter specialists when cyber security issues are identified as a key business risk, added the report, which was launched at yesterday's ISCA Practitioners Conference 2018.

PERVASIVE RISKS

Increasingly, cyber risks are becoming pervasive and are causing an impact on financial line items treatment. This would need to be considered when we perform financial statement audits.

MR TAN SHONG YE, digital trust and cyber leader of PwC Singapore, which contributed to the ISCA report.

ISCA chief executive Lee Fook Chiew said cyber security risks have become one of the key threats to businesses: "With this guide, we aim to equip audit professionals with knowledge in an area that will grow increasingly important in the future economy."

PwC Singapore's digital trust and cyber leader, Mr Tan Shong Ye, added: "Cyber criminals have evolved from targeting computer systems and networks to breaching buildings, factories and safety controls systems through the embedded computer and communication chips.

"Increasingly, cyber risks are becoming pervasive and are causing an impact on financial line items treatment. This would need to be considered when we perform financial statement audits."

Ms Indranee Rajah, Second Minister for Law, Finance and Education, noted that taking into account cyber security risks can give practitioners a competitive edge.

"As your clients increasingly incorporate technologies into their operations, cyber security will become a key risk area to focus on," she added.

A version of this article appeared in the print edition of The Straits Times on June 02, 2018, with the headline 'Cyber security risk assessment vital to any audit: Report'. Print Edition | Subscribe