At the end of May 2022, E&Y announced the strategic move of splitting their audit and non-audit consultancy services and creating a new legal entity for the latter. The intention may be viewed as a means of overcoming increasing scrutiny from multiple jurisdictional regulators following ongoing concerns as to the degree of independence of the audit division from the non-audit services provided to the same clients and the history of multiple corporate financial failures and scandals.
In some countries, such as the UK, government departments have voiced their concerns in respect of major government contractors falling into bankruptcy, despite their accounts being signed off by Big4 audit firms in prior periods, without reservation, as to the validity and accuracy of said accounts.
This has led to proposals for greater scrutiny of audit/consulting firms who may be accused of “marking their own homework”, where the consulting side of the business has been followed into the same corporation by an external audit team from the same firm. As a consequence, pressure has been increasing from regulators, with some changes, including the mandatory inclusion of smaller audit firms, within the external audit process, in an attempt to remove such potential or actual self-interest.
The situation is analogous to the privatisation of utilities companies, who were then mandated to break up, to prevent market dominance in creating, providing and selling sourced of energy, water, telecoms etc. It is also akin the current climate of accusations of market abuse by US big-tech and regulators seeking to break up the likes of the FANGS into separate business units.
In the case of audits and consultancy from the major players, it is worth noting that over 90% of largescale firms and over 97% of major listed companies globally are audited by just the Big4 audit firms. This, allied to continued failures to identify insolvent companies leading to major financial losses at the expense of governments and thus taxpayers, has increased the motivation to regulate, or breakup the Big4.
So why would your organization be concerned that the corporate accounts are not signed off, or have a qualified opinion on them from the auditors:
Top 10 impacts of auditor failure to sign off/receive qualified statements on corporate accounts:
- Reputational damage – brand valuation
- Shareholder doubt
- Target for activist investors
- Market signalling
- Perception of risk for capital raises
- Unwanted predatory interest from potential acquirers
- Regulatory oversight increase
- Higher fines for non-compliance
- Lower employee confidence in management – loss of skilled/knowledge workers
- Higher future audit costs from greater levels of scrutiny
To understand the potential impact upon your organization’s cyber risk management programmes, it is important to understand how corporate accounts are evaluated for risk by auditors.
The key issue to be addressed by financial auditors is whether an act, omission, technology, process, or control may lead to a negative impact upon the financial statements of an organization that may not necessarily be directly apparent during an audit of the accounts.
Any such element potentially negatively impacting upon the Financial Statement Line Items (FSLI’s) requires detailed examination by audit teams and it is in this area that cyber risk management has become of greater important for obvious and demonstrable reasons.
Within every organization there are IT General Controls (ITGC’s) and these can be evaluated in light of various international and national standards relating to IT risk management, such as ISO2700X:2022; NIST 800-37 Rev2; COBIT, OECD; FEDRAMP; IT Grunschutz, GDPR, etc.
Where an external audit team is satisfied that the ITGC’s are complete, functioning as intended and operate as the controls were designed, though observation, interviews, testing, then the audit team may not go deeper into examining specific controls in extreme detail. However, it is not simply the IT controls that may determine risks posed by technology risks in their operation; others include:
Key Factors in Audit Concerns:
- Historical record of quality of a company’s controls & prior audit records
- Prevailing economic conditions & extent of competition
- Changes to accounting systems
- Operational changes
- Personnel churn rate
- Transaction volumes/capacity/load/sensitivity/automation/value
- Regulatory environment
Some of the above are obvious, but a competitive environment and harsh economic conditions may, for example, lead to cost cutting, with ITSEC being regarded as a cost without a revenue offset and therefore a targeted area for reductions.
With the Big4 so predominant as external auditors and by their global network structure, the Big4 have a wealth of benchmark data to measure your organization’s budget and spend on cyber risk management and IT security.
Sectoral impacts arise where the volumes or values of transactions are so great that a mistake, failure or omission can result in substantial unforeseen losses. Personnel churn rate may demonstrate an internal culture misaligned with the risk appetite required to function without an excess of cyber risk exposure. It also requires additional checks on segregation of duties (SoD) effectiveness, adding to the audit burden.
…..And the Break-Up?
Whilst E&Y have made the decision to split their audit division from the faster-growing consultancy side of the business, the other Big4 players have doubled down on their ability to maintain independence during audits.
What better way to demonstrate their willingness and provide evidence and transparency in so doing than through far greater scrutiny of the key components when auditing clients. Where FSLI impact from technology systems, software, processes, interfaces and human interaction are concerned, there will be a greater in-depth risk assessment. In a period of increasing use of Big Data, AI/DL/ML within most organizations, allied with the shift to the cloud, the rationale for the Big4 for increased scrutiny during audits becomes apparent.
As data use is increasingly regulated, the potential for substantial financial penalties for misuse of data, exfiltration, lack of permissible use & storage increases. A successful claim against an organization will clearly have a negative FSLI impact. Thus, an additional requirement for auditors to test and validate cyber risk management programmes and the sub-components now applies more than ever.
The Big4 have all signalled that audit costs will increase substantially in light of the cost increase of travel, energy, etc that will be passed on to clients. The additional costs of more intense risk controls, compliance and security testing will similarly incur higher fees for clients.
More regulations relating to data breaches, operational and technology risk controls now assume the position of guilt on the part of organizations, until they provide auditable proof of compliance, as well as the intent to comply; a shift in the GRC and OGC’s of organizations is required hereon in.
Additional burdens come by way of the mandatory requirement for cyber risk awareness training for ALL personnel within organizations. The formats, delivery and composition of such training have not been defined by the various applicable regulations. However, it is made clear that different profiles of personnel will require the appropriate form of training.
Auditors will include this component increasingly, as well as attaching a greater degree of importance to it, given the risks associated with a finding of non-compliance by a regulatory body. In some countries (the ICO in the UK for example and CNIL in France), regulators have stated that their lack of resources will now result in them shifting their attention away from small businesses, in order to focus upon medium-to-large sized organizations in terms of inspections for compliance; large entities can create greater damage.
The Big4 are more than aware that prosecution by a regulator would point directly to their lack of audit and consulting independence, where non-audit services and audit services for the same clients have been combined. Your GRC and cyber risk management teams should therefore be fully aware of the new requirements and be in a position to fend off external auditors assessment activities through the provision of auditable proof of cyber risk management operational control and compliance during your next audit period.
Quantar has been providing regulatory compliance products since 2005, commencing with banking (Basel II) and Re/insurance (Solvency II) and continues to evolve them to meet the current operating environment.
We are now also able to provide bespoke cyber risk management training, using our patented cyber risk management methods, for hands-on experience.
For more information, please contact our team at firstname.lastname@example.org