Cyber and financial audit
Please use Iphone to browse to:
www.jesperdeboer.nl/quiz.aspx
Agenda
- Own-experience
- Maersk
- Relation with FA
- Frameworks
- Materials you can use
Own-experience
Back in 1996...
Have you ever been hacked?
You should be ok now
Source: https://youtu.be/VaqIYlYmDbA
Annual accounts 2017:
- Cost increased by +- 300 mln
- Effected the result by +- 20%
- Unqualified Opinion
- No key audit matter
Quiz 1: What will you do?
- a. Do nothing
- b. Perform a pentest
- c. Perform a cyber audit based on framework
- d. Reperform client control activities
Results
Relation with Financial audit
- Direct financial damage
- Indirect consequences due to reputational damage
- Loss of intellectual property
- Fines for violating regulations
- Dutch Accounting Standard 400 --> description of the main risks and uncertainties
Our audit approach
DAAM 12200 Internal Control § 146. For audits of listed entities, if we become aware of conditions or events indicating a cyber-security breach, the team shall consult with the NPPD.
Example is
| Incident | Why consultation is required |
| Malware on point of sale systems which resulted in a compromise of credit cards | Significant due to number of stores compromised and potential exposure |
Info and toolkit available: https://techlib.deloitteresources.com?link=content/10006_0901ff81813dbc74
Cyber-frameworks
Deloitte Framework 2018
- Improved and usable "Health check MKB"
- Focus on area’s: identification, prevention, detection, response and recover. We added more focus on governance, responsibilities and vendor management.
- It does not focus on: internal audit and cyber security framework and on technical measures.
- Understand the entity (discussion) or D&I
