INTHEBLACK October 2021 - Magazine - Page 9
IT SECURITY CONTROLS
AUDITORS CAN LOOK
TO IMPLEMENT:
• F ormal IT security policy
• Formal incident response plan
• Security awareness training
• Password lengths of eight or
more characters
• Two-factor authentication
• Network firewall
• Intrusion prevention system
• Website filtering solution
• Hard disk encryption for laptops
• Anti-virus software for all PCs
and servers
• Quarterly OS patching for
servers
• Automatic OS patching for PCs
• Daily data back-up
• Cyber insurance
The Bulletin emphasises that, in relation to
cybersecurity, it is the auditor’s responsibility to
consider the risk of material misstatement in the
financial report as part of risk assessment procedures
and to respond appropriately where a risk of material
misstatement is identified. Executives in management
and governance remain responsible for having a risk
assessment process in place to identify risks, including
cyber risks, and to implement and monitor internal
controls to respond to those risks.
Auditing standards require the auditor to understand
how the organisation uses IT and the impact of IT on the
financial report. This includes an understanding of the
extent of the organisation’s automated controls as they
relate to financial reporting, including the general IT
controls that are important to the effective operation of
those automated controls, and the reliability of data and
reports produced by the company and used in the
financial reporting process.
It is important to remember that an organisation’s
overall IT platform includes systems and related data
that not only address financial reporting needs, but
also operational and compliance needs of the entire
organisation. The auditor’s primary focus with respect
to cybersecurity risks should be on the systems and
controls that ensure the security of data relevant to the
preparation of the financial report.
CLICK HERE
TO LISTEN
to a CPA Australia
podcast on cloud
technology in audit
CLICK HERE
TO ACCESS
CPA Australia’s
policy pages
Mitigating the risk of cyber attacks may involve
companies upgrading their existing cybersecurity
systems and processes.
Having remote access controls will typically require
periodic changes, new or incremental virtual private
network controls, instituting multi-factor authentication
and regular spyware updates.
In addition, companies need to ensure that
appropriate cybersecurity controls are in place when
new technology, whether hardware or software, is
deployed. This has been especially critical during the
pandemic, as many employees have been accessing
corporate systems remotely.
The regulator has already sprung into action, with the
Australian Prudential Regulation Authority (APRA)
introducing Prudential Standard CPS 234 Information
Security and issuing cybersecurity guidance for the
financial services industry.
APRA has advised that it will be asking boards of
financial institutions to engage an external audit firm
to conduct a thorough review of its CPS 234
compliance and report back to both APRA and the
board. The purpose of the exercise is to identify
compliance issues and ensure they are rectified as
quickly as possible. It is also intended as a message
to business about the seriousness of cyber threats
and the need for greater accountability.
intheblack.com October 2021 9