Four Ways Cisos Can Get The Most Out Of Their Financial Audit

The role of the CISO (Chief Information Security Officer) has evolved beyond its traditional scope of being a company’s “data guardian”. As C-suites begin to realize that  just one cyber incident or breach brings with it severe financial and reputational costs, so the position of the CISO grows in strategic importance and stature – and their remit extends far beyond cyber or IT. And the stark reality C-suites are facing is that it may not be just one attack or incident. Cyber incidents are growing in their pace, quantity and complexity. Over the past 12 months we’ve seen a cyber security “trifecta” of:

Increased attacks – focused on inflicting maximum disruption

Greater severity – with attacks leading to financial, cashflow and asset loss, and reputational damage

Decreased controls – as work from home has reduced cyber controls

This “perfect storm” has brought with it new digital risks and data privacy issues. No wonder the CISO’s sphere of influence is expanding. Their remit has always been critical controls and frameworks – but their scope now extends to the financial audit.

What is the CISO’s role in an external audit?

The auditor’s job is to confirm the previous year’s accounts are free from material error and further, that the business is diligent in mitigating its risks in future years. Audit teams review transactions by extracting financial data from ERP and payroll systems. To ensure this data is complete and accurate, part of the audit team’s remit is to review and challenge the CISO’s controls. To this end, throughout the year, the audit team researches major risks and tests whether the mitigation measures are reliable and effective.

This alone means CISOs have a major interest in participating in the external audit process. And, as someone who’s worked in both CISO roles and audit teams before, there are also benefits to CISOs getting involved proactively. To participate in the cyber element of the external audit process and leverage the experience, a CISO should:

1. Connect with your audit team

Get ahead of the control review and engage with your audit team early on. Unsure of who they are? Ask your CFO or get a copy of your company’s most recent financial statements or annual report, where you’ll find the details of your company’s auditor, as well as the signing partner’s name. You can then contact the team supporting the audit, who can confirm key reporting dates in the coming year. Typically, IT General Controls testing is completed three months ahead of your company’s financial year-end.

2. Attend and participate in audit committee meetings

Your audit team engages directly with the audit committee. This means they can raise issues and challenge the leaders of the organization like no other group, making them a useful channel of communication for a CISO.

The audit committee has a significant role to play in overseeing and understanding the effectiveness of the company’s cyber risk mitigation measures. This can only be achieved when the CISO becomes a trusted adviser and regular attendee of this forum. Many of the decisions the board or audit committee considers – whether related to products or new markets – have cyber risk implications that the CISO should be aware of and involved in.

Many CISOs already attend and participate in audit committee meetings. If you don’t, and if your audit committee chair is resisting the idea, the head of audit will be a useful ally to promote your cause. Auditors know that, to be successful, a company’s cybersecurity efforts demand frequent engagement from the board and audit committee. This requires the CISO to become a regular audit committee attendee.

3. Understand how to effectively use information from the audit

External audit teams are typically highly diverse, with a variety of professionals, including cybersecurity experts. These teams are a useful resource for a CISO as they can provide an independent view of your organization’s cybersecurity environment, including how material your cyber risks may be or how your organization is benchmarked against peers.

4. Include your auditors in incident communication plans

Increasingly, the external audit process is being expanded to include cybersecurity. EY, for example, will be requesting audit clients to formally report significant cyber incidents that have occurred in the financial year and determining if there is a material financial impact. As such, CISOs should include the details of their auditors on any incident communications plans, getting ahead of the curve before end-of-year reporting. If this topic is of interest to you and you would like to hear more from industry experts, then click here to access the EY Asia-Pacific Cybersecurity Webcast. The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organization or its member firms.