The importance of cyber security cannot be ignored in banks as banks functions in an environment where the delivery of most of the services are technology dependent. It is imperative that the bank assess the impact of technology failure and cyber security risk it possesses. Cyber security risks and controls are within the scope of auditor's concern only to the extent that it could impact the financial statement. For this purpose, the auditor needs to have an understanding of impact of IT on the financial statement.
It is important for the auditor to understand the risk that the bank could have due to cyber security and its impact on the financial statement. The auditors need evaluate the impact of the risks and controls identified by the management to mitigate those risks.
The auditor may consider the following factors for performing the evaluation
- Cyber security policies and procedures designed
- Cyber security strategy and program
- Cyber security team and competency of the team and the authority provided by the Board
- How is security awareness conducted and end-user training?
- Accountability and responsibility of Cyber security
- Access management including provisioning, de-provisioning and authentication
- Technical security controls including perimeter defence, antimalware protection, encryption, patch management, data loss prevention, secure configuration and intrusion detection
- Third -party / service provider risk management
- Incident response and recovery, including crisis management and escalation
- Recovery plans, including backups and testing of back up
Audit planning and procedures to determine cyber security breach
- Meet with the Chief Information Security Officer or the bank's cybersecurity program leader and inquire to understand the cybersecurity program; how cyber incidents are monitored,tracked, and reported and if any cyber breaches have occurred.
- At the branch level, inquire of branch manager, IT and finance managementregarding whether a cybersecurity breach occurred at thebank.
- Observe meeting(s) or inspect minutes of the meeting ofcybersecurity incident response team in which cybersecurityresults were being discussed and monitored.
- Attend Audit Committee meetings in which IT updates areprovided regarding cybersecurity risk and the bank's programor inspect minutes of audit committee meetings.
- Read drafts of the financial statements to determine if acyber-breach occurred.
- Inspect the financial statements and the bank'sdisclosures related to cybersecurity to determine any changesin the current fiscal year.
- Inspect internal auditor reports and communications to theAudit Committee from internal auditor regarding cybersecuritybreaches
- Search via the internet for news articles or other externalsources in which a cyber-breach related to the bank waspublicly disclosed, where applicable
Audit procedures if cyber security breach has been detected
- Internal control implications of the cybersecurity breach -Whether the incident resulted from one or more controls that were not suitably designed or operating effectively
- Accounting treatment of the effects of the cybersecurity breach - Whether the incident had a material effect on the PSB's financial position or results of operations and required disclosure in a financial statement filing.
- Adequacy of the bank's disclosures related to the breach - Whether the incident resulted in sanctions by any legal or regulatory agency. Whether public disclosure of the incident was required (or is likely to be required) by any laws or regulations
The final step in the audit would be the evaluation of the control deficiencies. Based on the severity, the deficiencies identified can be categorized into:
- Material weakness: There is a reasonable possibility that a material misstatement of the bank's annual or interim financial statements will not be prevented or detected on a timely basis. One of the examples could be lack of proper segregation of duties with respect to financial reporting transactions.
- Significant deficiency: Significant deficiency is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the bank's financial reporting. One of the examples could be controls are not defined for a particular risk like the change management to the application program.
- Deficiency: Design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. It is less severe than a material weakness or significant deficiency.
Source: IFC of Public Sector Banks issued by ICAI