Cybersecurity risk assessment essential to any audit: Institute of Singapore Chartered Accountants

AUDITORS should take cybersecurity risks into account for every audit - even when the company under audit has no online presence, according to a new report released by the Institute of Singapore Chartered Accountants (ISCA).

Auditors should also be aware that breaches may have occurred but remained undetected, the report notes.

The publication - believed to be the first in South-east Asia to provide guidance on cybersecurity risk considerations in a financial statements audit - was launched at the ISCA Practitioners Conference 2018 on Friday.

Some businesses with weak IT programmes and controls may not realise that they have been the subject of a cyberattack, the report warns.

This means auditors should conduct their audit keeping in mind that a cyberattack may have happened, regardless of any past experience with the entity and regardless of the auditor's belief about the entity's cybersecurity defence abilities.

The report also pointed out that while it is not the auditor's responsibility to detect every cyber incident that results in changes to a company's financial records, robust audit procedures have a good chance of picking up unauthorised material changes.

Auditors should consider involving subject matter specialists when cybersecurity issues are identified as a key business risk, added the report.

ISCA chief executive Lee Fook Chiew said cybersecurity risks have become one of the key threats to businesses.

"With this guide, we aim to equip audit professionals with knowledge in an area that will grow increasingly important in the future economy," he added.

Added PwC Singapore's digital trust and cyber leader Tan Shong Ye: "Cyber criminals have evolved from targeting computer systems and networks to breaching buildings, factories and safety controls systems through the embedded computer and communication chips.

"Increasingly, cyber risks are becoming pervasive and are causing an impact on financial line items treatment. This would need to be considered when we perform financial statement audits."