In 2024, U.S. organizations that suffered a data breach lost an average of $9.36 million as a result. That’s the highest average organizational cost of all the countries and regions covered in the 2024 Cost of a Data Breach Report by IBM and independent research firm Ponemon Institute. Malicious or criminal attacks were the source of more than half of those breaches, rather than IT failure and human errors.

As businesses automate more processes and rely heavily on digital data, financial auditors like us at Doeren Mayhew, are starting to pay more attention to cybersecurity risks when reviewing financial statements and annual reports. This change means that audits now need to include a focus on cybersecurity, assessing the risks within the technical aspects of the companies being audited.

This audit season, prepare to answer questions about cybersecurity and the effectiveness of your company’s internal controls against cyberthreats.

Several Factors to Consider

Auditors provide guidance on how to incorporate a cybersecurity risk assessment into overall audit planning and how to respond to identified cyber risks and incidents that could impact the audit. This involves determining the relevance of cybersecurity risks for the organization, existing cyber defense controls and their effectiveness, and possible breaches in the company’s IT environment. 

When performing a cyber risk assessment, auditors will consider several factors:

• Regulatory landscape: Depending on the location of company assets and subsidiaries, different regulations may apply. For example, companies operating in the European Union must comply with the General Data Protection Regulation (GDPR).
• Third-party risks: This includes risks associated with cloud computing and SaaS providers. For instance, if a company uses a third-party cloud service to store sensitive data, it must ensure that the service provider has robust security measures in place.
• Industry-specific threats: Different industries face unique cyber threats. For example, health care organizations must protect patient data from breaches, while financial services firms need to safeguard against fraud and unauthorized access to financial information.
• Insider threats: Poor information security practices by employees can lead to breaches, especially with the rise of remote working. For example, an employee might inadvertently download malware by clicking on a phishing email.
• Increased automation: Automation can introduce vulnerabilities, such as loopholes in maker-checker controls and potential hacking opportunities. For instance, automated systems might not detect sophisticated cyberattacks that exploit these loopholes.

Audit Inquiries

Possible questions auditors might ask during fieldwork include:

• How does management identify and prioritize cyber risks?
• What kind of internal controls has management established to safeguard digital assets and sensitive data (such as formal policies and procedures, employee training and the use of security analytics)?
• How does management monitor internal controls to ensure effective operation?
• Does management have a detailed breach response plan?
• If a breach occurred during the accounting period, how did management respond and how much did it cost?
• Has the company purchased cyber liability and breach response insurance?

Universal Risk Factor

In recent years we have seen a significant increase in private companies being victims of cyberattacks — and the effects may be even more devastating for companies with fewer resources to absorb the losses and assign dedicated staff to respond to breaches.

The increasing frequency and severity of cyberattacks underscores the need for auditors of entities of all sizes to update their procedures. It’s our job to ask key questions about cyber risks and the effectiveness of your internal controls. The answers, in turn, can help you formulate more effective governance strategies.