Cybersecurity – What is the auditor’s role?
Sumesh Krishna, Partner

Phone:- +971 4 327 7775
Mobile:- +971 50 749 0576
WhatsApp:- +971 56 219 1607
Email:- dubai@hlbhamt.com
Cybersecurity risks are continuously evolving in the current world; therefore, the auditor must continuously evaluate the potential for cybersecurity incidents to have a material impact on the financial statements. The Standards require the financial statement auditor to understand how the company uses its information technology systems and its impact on the financial statements. This process includes understanding the extent of the company’s automated controls on the transactions and related reporting to the financial statements.
The general IT systems controls are significant for the reliability of data and reports produced by the company and used in the financial reporting process, including IT risks resulting from unauthorized access. The financial statement auditors must consider their understanding of the company’s IT systems and controls for evaluating the risks of material misstatement in the financial statements.
The systems and data are in scope for most financial statement audits in the IT environment of the company. Usually, these are a subset of systems and data used to support the company’s overall business operations.
The auditor focuses on access controls and changes to systems and data, computer operations controls, and the reliability of company-prepared information by using the computer systems and data that could impact the financial statements and their effectiveness.
The financial statement auditor’s primary focus is on the controls and systems closest to the application data of interest to audit the financial statements. Audit procedures will then be developed to address each company’s unique IT environment. Many cybersecurity incidents first occur through the perimeter and internal network layers, which tend to be further removed from the application, database, and operating systems typically included in access control testing of systems that affect the financial statements.
However, the cybersecurity risk landscape has evolved, and the frequency and complexity of cybersecurity attacks continue to change. For example, cybersecurity incidents have resulted in the disbursement of unauthorized funds (e.g., a wire transfer) through compromising the company’s email system. Such incidents may not necessarily be sophisticated in the use of technology; instead, they have adapted to exploit weaknesses in the company’s policies and procedures that are vulnerable to cybersecurity risk today.
As part of risk assessment and planning, auditors would broadly consider cybersecurity risks that could have a significant effect on the company’s financial statements Considerations related to cybersecurity risks include the potential fiscal impact of such risks on the financial statements and the inability of an organization to issue financial statements promptly because of a breach of its financial reporting systems (e.g., due to a ransomware attack). For example, auditors may obtain an understanding of the company’s business operations that give rise to cybersecurity risk and, to the extent such risks are deemed material to the company’s financial statements, adjust their audit plan accordingly to address those risks. The Common areas that may have exposure to cybersecurity risk include the transaction processes where bank account information is modified and funds are disbursed (e.g., wire transfer).
Concerning the company’s cybersecurity disclosures, the auditor’s responsibilities depend on whether the disclosures are included in the audited financial statements. Suppose the disclosure is included in the audited financial statements. In that case, the auditor performs procedures to assess whether the financial statements, taken as a whole, are presented fairly in all material respects. The auditor’s assessment includes procedures specific to the financial statement disclosures. Such as, if a cybersecurity breach with a material financial statement impact occurs, the auditor will perform procedures around the affected account balances and assess whether the disclosures related to material contingent liabilities, if any, are reasonable concerning the financial statements taken as a whole.
Would you like to rate us on Google?











