Cyber Security Risks and Implications for Financial Audit

Companies are now mandated to disclose past cyber attack incidents and risks of future cyber attacks by the U.S. Securities and Exchange Commission (SEC) and the Department of Financial Services (DFS) of New York State. This assignment discusses the implications of these regulations and the need for companies to establish reliable internal IT security frameworks.

15 Pages4964 Words361 Views

Added on 2022-11-12

About This Document

This article discusses the importance of cyber security compliance and the risks and implications of cyber security breaches for financial audit. It highlights the need for audit professionals to understand cyber security risks and provide competent professional counsel to their clients. The article also covers the role of audit committees in managing cyber security risks and complying with regulations such as 23 NYCRR 500.

Cyber Security Risks and Implications for Financial Audit

Added on 2022-11-12

Related Documents

Introduction
As a part of the management discussion and analysis (MD&A), U.S. Securities
and Exchange Commission (SEC) now mandate companies to disclose past cyber
attack incidents and risks of future cyber attack. Companies that fail to establish a
reliable internal IT security framework are facing the risks of failure to comply with
SEC disclosure requirement, and financial loss and litigation due to cyber security
breach. Effective as of March 1, the Department of Financial Services (DFS) of New
York (NY) State recently adopted a pioneering set of cyber security compliance
requirements to regulate any businesses or organizations under its reporting
jurisdiction.
This requirement, which is known as 23 NYCRR 500, mandates that each company
or institution shall anticipate, plan, and thwart potential cybercriminals by requiring
“each company to assess its specific risk profile and design a program that
addresses its risks in a robust fashion.” Although most companies that are affected
by 23 NYCRR 500 are banks and large financial institutions, such as insurance
companies, mortgage brokers, that already invested substantial financial and
technology resources in cyber security, similar regulations might proliferate soon to
other companies that are under the regulations of SEC. It is imperative for external
and internal audit professionals to understand the risks and regulations pertaining
to cyber security and provide competent professional counsel to their clients. At the
very minimum, Certified Public Accountant (CPA) firms will be very likely included in
similar regulatory framework in Canada.
1

Cyber Security Risks and Implications for Financial Audit_1

Cyber-Risk and Implication of Financial Audit
A typical misconception of cyber security is that banks and financial
institutions are easy preys of cyber criminals who have little interest in hacking non-
financial organizations. Indeed, almost every financial institution has an extensive
online platform for processing accounts and transactions, which helped their
customers to have better control and access to their financial asset (Trautman &
Altenbaumer-Price, 2010). However, many cybercriminals avoid attacking these
financial institutions, which have far more sophisticated and comprehensive
security infrastructures, and prefer non-financial "brick and mortar" stores with
some online presence, who are often deemed as the low hanging fruits by these
cyber criminals (Trautman & Altenbaumer-Price, 2010). For example, Canadian Tire
Corporation (CTC) admitted its customer information, including their CTC credit card
information and loyalty account transactions, has been hacked and stolen by an
unknown party in 2017 (Charitoudi & Blyth, 2013).
Cyber-attacks can have a catastrophic impact on the survival of a large
organization. Credit reporting giant Equifax suffered a massive breach of 143 million
users in the United States and Canada, which is the largest cyber-security breach in
modern financial industry, and more than 45 lawsuits have been filed against
Equifax in the United States, United Kingdom and Canada. Within one month after
the cyber attack, the public traded shares of Equifax has fallen more than 25%,
which reduced Equifax’s market value by 4 billion dollars. The prevalence of cyber
security breaches that hack and infiltrate a company’s network to steal confidential
information, is growing at a stunning rate (Trautman & Altenbaumer-Price, 2010).
However, the front-page business news stories only reveal that deep-pocket billion-
dollar organizations who fell victims of cyber attack, and most small to medium
sized corporations simply did not disclose their Cyber-
2

Cyber Security Risks and Implications for Financial Audit_2

Security breaches to the public (Charitoudi & Blyth, 2013). It is almost certain that
most companies will be subject to a cyber-attack in the near future (Gordon et al.,
2013).
Inaccurate or erroneous financial information can cause audit implication. The
audit can be imply in those systems where the material misstatement changes are
high. The audit can be also imply in ensuring fairness and the trueness of the
accounting information.
While, regulatory agencies and audit firms historically only responded to
cyber-security incidents afterword if these attacks are material (Alper, 2017).
However, internal and external audit professionals collect, extract and share a
tremendous amount of sensitive financial information regularly (Trautman &
Altenbaumer-Price, 2010). It’s in audit professionals’ professional obligation to
counsel their clients to protect this data to the best of their capabilities (Charitoudi
& Blyth, 2013). For example, Audit professionals should provide their clients to fully
understand the financial and regulatory obligations of 23 NYCRR 500. Here, the
financial obligation means to pay the money to the others or the liability to pay the
money to the others. In other hand the regulatory obligation refers those duties and
function related to the 23 NYCRR 500 that are supposed to performed (Gordon et
al., 2013).
Audit Committee’s role in the Management of Cyber Security risks
Audit professionals should advise the audit committees and the financial
professionals to invest sufficient human and technology resources to cyber security
risks. Granted, the components of cyber security are highly technical and hard to
understand for those professionals without formal training in information technology
(IT) (Charitoudi & Blyth, 2013). However, audit professionals must advise their
clients not to make a business decision without an understanding of its implication
in cyberspace security (Alper, 2017). Many audit and finance committees fail to
recognize that IT risk; cyber attack risk especially should be managed as an
essential component of business strategy (Charitoudi & Blyth, 2013). Rather, these
audit and finance committees tend to abdicate their duties and dedicate cyber
security entirely to the IT department and avoid involvement in subsequent
discussion with the IT department (Trautman & Altenbaumer-Price, 2010).
3

Cyber Security Risks and Implications for Financial Audit_3

Cloud computing is an interesting technology platform to demonstrate the
best-in-class practice that audit professionals should collaborate with IT
professionals to manage the risk of potential cyber risk (Trautman & Altenbaumer-
Price, 2010). It is increasingly popular for small and medium-sized businesses to
migrate from its IT infrastructures from the internally hosted servers to the cloud
platforms. Despite its many advantages, cloud computing platform is an immediate
and foreseeable cyber security risk (Alper, 2017). However, many financial
professionals and audit committees simply jump into the bandwagon of cloud
computing without fully recognizing the audit and financial risks involved (Gordon et
al., 2013). There are several type of risk associated with the cloud computing some
important risks are -
Data breach: - this risk of data breach is the common risk of cloud security. This is
related with the security of data.
Human error: - the other on is human error, the human fault is the main reason
behind the cloud system failure.
Data Loss: - if the back up is not created in daily basis there is the high chances of
data loss with back up.
Insider threat: - the insider threat is also associated with this system.
Exploits: - the multitenancy nature of the system also create the several risk.
Audit professionals should collaborate with the audit committee to help
manage and communicate cyber security risks pertaining to the cloud platform
effectively. Granted, the highly technical nature of the cloud platform is complex, it
risks bear some similarities to the pre-internet information risks of organizations.
Custodianship of intangible assets, authentication of financial transactions, and
good recordkeeping practices have widely been adopted as part of good corporate
governance practice to ensure the information security before the Internet era
(Alper, 2017). However, for most audit professionals in the audit committees, the
knowledge or intention to communicate cyber security risks and mitigation
strategies with the employees, shareholders, and other stakeholders are simply
sufficient (Trautman & Altenbaumer-Price, 2010). The cloud platform and other IT-
based control techniques must be used to mitigate cyber security risks, risks must
be translated into a genuine conversation by those IT professionals who are
responsible for the implementation and management of business
4

Cyber Security Risks and Implications for Financial Audit_4

End of preview

Want to access all the pages? Upload your documents or become a member.

IT Security: Equifax Data Breach, Quantum Key Distribution, and Firewall Types

|12

|2997

|59

Physical Security - Assignment

|785

|142

Corruption Fueled Cybercrime Activities

|1282

|68

Fraud Awareness and Prevention in Cyber Crime: A Case Study

|1073

|373

Cyber Security Risks and Implications for Financial Audit

About This Document

Cyber Security Risks and Implications for Financial Audit

End of preview

IT Security: Equifax Data Breach, Quantum Key Distribution, and Firewall Typeslg...

Physical Security - Assignmentlg...

Corruption Fueled Cybercrime Activitieslg...

Fraud Awareness and Prevention in Cyber Crime: A Case Studylg...

IT Security: Equifax Data Breach, Quantum Key Distribution, and Firewall Types

Physical Security - Assignment

Corruption Fueled Cybercrime Activities

Fraud Awareness and Prevention in Cyber Crime: A Case Study