Audit firms need cybersecurity expertise, says SigOct Founder

Cybersecurity is set to become a bigger component of audit, says Ian Sharland.

This Future of Audit Series interview is proudly brought to you by ACCA.

Along with the benefits of digital transformation come risks. “Cybersecurity is part of ensuring the sustainability of a business,” says Ian Sharland, founder of SigOct. “The sustainability of a business needs to be included in the audit focus. Therefore, audit firms need to understand how to audit cybersecurity.”

Ian founded SigOct to assist SMEs to identify and minimise cybersecurity risks. “Cybersecurity matters more to small and medium enterprises,” he explains. “This is because common cyberattacks are more of an existential threat to companies with fewer resources to deal with the fallout. SigOct basically helps SME management understand their own environments, their own risks, and the key areas to focus on to meaningfully reduce the risk of a cyberattack.”

Ian started his career at PwC as an IT auditor before joining Bidvest Group, where he worked in various roles, starting in group internal IT audit as an audit manager, and ending up as national IT governance and cybersecurity manager for Bidvest Data.

He says cybersecurity breaches have significant financial and non-financial costs. Business Insider reported that the cost of an average data breach in 2020 was R50 million. But beyond the financial blow (which might wipe out a small business entirely), there’s also the trust and reputational factor to consider. Ian cites the Panama Papers breach as an example. Panamanian law firm Mossack Fonseca was hacked in 2016, with roughly 11.5 million confidential documents leaked by a whistle-blower. The firm ultimately announced its closure in 2018.

“Data breaches speak directly to trust and credibility risk, because who’s going to bank with a financial institution that can’t secure your personal information or your account; who’s going to choose a law firm that can’t guarantee the confidentiality of your personal information?” says Ian. This is something audit firms need to consider carefully for themselves, as they have access to sensitive information on their clients and store this information for a period after the audit has finished.
Ian believes audit firms need to not only invest heavily in their own cybersecurity, but to improve their understanding of it from an audit perspective. “Firms tend to do a very high-level, IT governance focused audit as part of the financial year-end audit, effectively just focusing on gaining some minimal level of comfort primarily over financial systems, and maybe key drivers of revenue systems,” he says.

“At best, they might ask a few questions on patching, vulnerability management, and antivirus, when dealing with cybersecurity. But the audits that are done in support of financial audits don’t even come close to hitting the level of detail that is needed to adequately assess the cyber risk of a business. At this point, insurance companies are generally doing a better job of assessing cyber risk, as part of their process of quoting on cover.

“Basically, the scope of work that the audit support function is using is not adequate to really assess cyber risk in any kind of detail and give any substantive view of the related sustainability of the business.”

Scarce cyber skills
Ian says audit firms need to hire the right skills. “They need specialists in their audit support functions. They can't rely on IT generalists anymore. They now need security specialists who can start scoping the appropriate cybersecurity aspects of the IT audit.

“The IT audit is never going to go away, because IT governance still matters. And although there is some overlap between IT governance and cybersecurity because the type of questions that we’re asking and controls we’re looking at are relatively similar, it needs a different and more specialist skills set to assess cyber risk properly.

“Audit firms are going to find themselves in the same situation as the rest of the security industry, namely that there just aren't skills available to employ. Ultimately, they need to focus on getting the skills on board first, before they can start defining better scopes and executing more thoroughly, if they want to really start getting a view of cybersecurity sustainability within the business.”

He admits it’s a challenge, because businesses tend to avoid adding items to their audit scope as it increases cost directly and audit firms are already experiencing fee pressures. While legislative changes (such as the introduction of POPIA) force action in some respects, Ian says that true risk management means moving beyond tick-box compliance.

“Putting things down on paper and saying what you’ll do, for example around third-party risk, and then actually doing those things are miles apart. I think that’s where audit, through an enhanced scope focusing specifically on cybersecurity, can provide a far greater level of assurance.”

Going beyond performing independent reviews, such as SOC 2, and the scope of what is traditionally performed in a financial audit, to offering certifications such as ISO 27001 (a globally accepted information security framework), is a great opportunity for audit firms to expand their offerings, Ian suggests. “Audit firms need to start demonstrating additional value that speaks to the whole concept of sustainability within the audit fraternity: looking at how the business model can be sustainable.”

Rethinking business as usual
Ian references a point made by Ascendis Health CFO, CJ Kujenga, that audit firms need to re-look their business models. “If audit firms are going to be required to get to a point where they not only meet regulatory requirements but add value to the broader stakeholder community outside of just the financial statements, I think they need to also find a more sustainable fee model,” he says.

“It all comes back to the fundamental incentive structure and the fact that the company being audited is paying the auditor’s fees. At the end of the day that’s always going to introduce a level of conflict in audit scoping and findings feedback. And while ‘He who pays the piper calls the tune’ to some extent, auditors also have a fiduciary duty, not just to the business, but to the broader stakeholder community. Until audit firms resolve the incentive structure that they've got baked into their model, and the market comes to accept that maybe the way audit is paid doesn't incentivise the outcomes that the market is currently looking for, nothing is going to change.”

This kind of systemic change might happen in reaction to an external shock, or if one of the Big Four decided to do things differently and disrupt the market. “It’s one of those things that could very easily be trialled on a small basis within an audit firm,” muses Ian. “It's just going to require fairly brave leadership even on a trial basis. But I also think that if they alter things such that the model works correctly and they hit on a good incentive, business model and fee model, and if they rolled it out widely, it would be so disruptive to the market that the other audit firms would have no choice but to respond to it.”

Ian says this ties in with the room to turn cybersecurity into a business advantage. “It’s going to become a bigger component of future audits, and the companies that move first will have the biggest competitive advantage when their model does begin to change.”