Bursa Malaysia has issued guidelines to guide directors of listed issuers in making disclosures concerning risk management and internal control in their company’s annual report pursuant to the paragraph 15.26(b) of the Listing Requirements.
In making the statement, Statement of Risk Management and Internal Controls (SORMIC), companies are required to explain their governance policies, including any special circumstances which have led them to adopting a particular approach. It sets out the obligations of management and the board of directors with respect to risk management and internal control. It also provides guidance on the key elements needed in maintaining a sound system of risk management and internal control, and describes the process that should be considered in reviewing its effectiveness.
Does the external auditor for organisations listed on Bursa Malaysia evaluate their client's overall cybersecurity risks or the design and effectiveness of operational controls implemented by the organisation to mitigate cyber risks? In actual fact, the auditor only focuses on information technology (IT) that the public company uses to prepare its financial statements, the automated controls around financial reporting, such as the controls around the reliability of underlying data and reports.
With respect to cybersecurity disclosures by a public company, the auditor evaluates whether those statements taken as a whole are fairly presented in accordance with generally accepted accounting principles, in all material respects. For example, if a company establishes a material contingent liability for an actual cyber-incident, then the auditor would need to evaluate, in the overall context of the financial statements, the appropriateness of the disclosure of that liability in the footnotes to those statements.
The auditor plays an even more limited role when cyber-related information is not contained in the financial statements themselves but elsewhere in a company's annual report. Here the auditor need not corroborate the information in the report. Instead, the auditor need only read and consider whether the cyber-related information in that report, or its presentation, is a material misstatement of fact or materially inconsistent with the information in the financial statements.
This leads to the question of whether cybersecurity risk is relevant to the audits of financial statements. Do financial statements auditors need to consider the cybersecurity risk of their clients when planning and performing the audits? Just as auditors would consider, as part of risk assessment, an entity’s business risks in a financial statements audit, cybersecurity risk is an equally important risk area that cannot be ignored. As highlighted in the previous section, cyber incidents can result in financial consequences and therefore, have an effect on the financial statements. The financial impact on businesses can be massive and can cause fundamental enterprise-wide damage to entities. Cyber attacks can even go undetected, resulting in financial implications to the entity that may not have been reflected in the financial statements.
The auditor’s responsibilities do not encompass a comprehensive evaluation of the risks and controls across the entity’s entire IT environment. With a robust understanding of the entity and its environment, including the entity’s cyber environment, the auditor would be able to identify specific risks arising that may result in risks of material misstatement. The auditor should also determine whether any of the risks identified are, in the auditor’s judgement, significant risks that require special audit consideration.
As part of understanding an entity’s objectives, strategies, operations and risks, auditors would be able to identify the related business risks that may give rise to risks of material misstatements of the financial statements. Depending on the entity, cybersecurity risk may or may not be one of such risks.
If the auditor does perform evaluation, what approach do they take to validate the effectiveness of the cyber framework(s) adopted for evaluating and managing cyber resiliency risk? Do they get external 3rd parties to conduct attack and penetration testing to determine the elements of the firm’s cyber-risk strategy and its recovery capabilities? The nature of cyber threats is wide ranging. Therefore, if they do not get external 3rd parties, the auditor's objectivity, integrity and independence could possibly be conflicted or compromised.
You can either be an electrician or a plumber or an HVAC technician. You cannot be both or all three.