Cyber security considerations from a key audit matter context
Should cyber security be considered a default significant risk? If so, why do so few current ASX (Australian Stock Exchange) company audit reports contain a Key Audit Matter (KAM) disclosure relating to cyber security? Could it be due to a lack of understanding of the Information and Communications Technology (ICT) environment and the inherent significant risks posed by cyber security vulnerabilities?
The reality is that Australia and New Zealand both lag behind global peers when it comes to the development and introduction of legislation to ensure corporations are taking the necessary steps to secure data and the ICT environment they operate within, in the context of cyber security. This however, should not been seen as a reason to ignore.
Looking around the globe at alternate frameworks that organisations are introducing, it can be seen that it is imperative all companies learn and apply best practice standards in order to stay one step ahead, or at least, keep pace with the ever-evolving cyber landscape. Without a proactive approach from businesses and associated domestic regulators, potential brand damage, through data integrity loss and business disruption, could potentially be catastrophic. In addition, the statutory penalties for not complying with the newly legislated data breach notification laws, applicable for serious or repeated interferences with the individual privacy, could attract a maximum penalty of $1.8 million for corporate entities.
In light of this, cyber security threats and privacy act requirements should underpin the fundamental elements of any large organisation’s risk management framework. Current best practice models comprehensively identify and address these high risk areas.
As auditors, we have a force of law duty to review and assess the strengths and material weaknesses of a client’s risk management framework. A lack of understanding of cyber security risks, privacy act requirements and ICT infrastructure capacity is no longer an excuse.
Having reviewed a diverse cross section of ASX 100 audit reports, it would appear that traditional accounting matters still form the overriding majority of KAM disclosures. Very few disclose a KAM associated with cyber security and ICT infrastructure counter measures.
Specifically, ASA 570.08 defines a KAM as those matters that, in the auditor’s professional judgement, were of most significance in the audit of the financial report.
We have seen multinational listed entities hit by significant data breaches and disruption events which have arisen from cyber security weaknesses – examples being Yahoo, Target and Sony Pictures Entertainment. In all examples, it was reported that each entity has suffered significant direct and indirect financial repercussions.
Given the similarities in ICT environments, and the types of personal data retained by these large corporates, and most ASX listed entities and large businesses, it can be argued that such comparable entities will also have significant audit risks in relation to Cyber Security. It can therefore be concluded that for companies whose ICT environment is pervasive to their business, we should expect to see a KAM relating to Cyber Security in their audit report.