What is your external auditor’s responsibility for cybersecurity?
Data breaches can be costly. The average total cost of a data breach has risen to roughly $4.45 million, according to a 2023 survey of information technology (IT) security professionals by the Ponemon Institute (a research center dedicated to privacy, data protection, and information security policy). That figure has grown 15% overall in the last three years. Notably, data breach costs have increased 53% in the health care sector since 2020.
Auditors consider all kinds of risks when they prepare financial statements. Here’s how they specifically tackle the issue of IT security in an audit.
Audit scope
When it comes to evaluating cybersecurity risks, auditing standards require auditors to:
- Learn how businesses use IT and the impact of IT on the financial statements,
- Understand the extent of the companies’ automated controls as they relate to financial reporting, and
- Use their understanding of business IT systems and controls in assessing the risks of material misstatement of financial statements, including IT risks resulting from unauthorized access.
The auditor’s role is limited to the audit of the financial statements and, if applicable, the internal control over financial reporting (ICFR).
Primary focus
An auditor’s primary focus is on controls and systems that are in closest proximity to the application data of interest to the audit. This includes enterprise resource planning (ERP) systems, single-purpose applications (such as fixed asset systems), and any connected systems that house data related to the financial statements.
Companies must continuously update their controls and systems to stay atop the latest hacking techniques. Increasingly, companies are using artificial intelligence (AI) and automation to detect and contain breaches. According to the 2023 Ponemon Institute report, organizations that fully deploy cybersecurity AI and automation on average saw 108-day shorter breach lifecycles than organizations without these technologies in place. In addition, organizations that extensively use cybersecurity AI and automation to identify breaches experienced $1.76 million lower average loss than those without these technologies. In fact, these technologies were the biggest cost-savers identified in the report.
An auditor’s responsibilities don’t encompass an evaluation of cybersecurity risks across a company’s entire IT platform. But, if auditors learn of material breaches while performing audit procedures, they consider the impact on financial reporting (including disclosures) and ICFR.
Fortifying your defenses
Data breaches have become increasingly common and costly. It’s critical for business owners and managers to understand the scope of the external auditor’s responsibilities in this area and develop a cybersecurity program that mitigates the risks.