The relationship between cybersecurity and financial statements audit has shifted from purely a technical IT matter to a critical going concern risk relevant to financial statements audits.

Massive regulatory fines and prolonged business interruptions from cyber incidents can directly threaten an organization's ability to survive. Financial auditors assess whether an organization can continue operating for the foreseeable future (typically 12 months).

Cybersecurity threats now directly jeopardize this status through:

Financial Penalties: Regulations like the PDPA can impose fines up to SGD 1 million for cyber incidents that have resulted in personal data breach, potentially depleting cash reserves and damaging short term liquidity health of small to mid-sized enterprises.

Business Interruption and Revenue Loss: Ransomware or DDoS attacks can halt production or sales platforms for weeks. For many businesses, the inability to serve customers for even a short period causes irreparable revenue loss and contractual penalties.

Asset Impairment: A security or data breach incident can destroy the value of intangible assets like brand reputation or lead to the write-down of physical assets if they are no longer operational due to corrupted software.

Issuing the Appropriate Audit Opinion

If an actual cybersecurity risk event has cast significant doubt on an organization’s survival, the auditor must determine the correct reporting response.

Cybersecurity Specialists (professionals with CISA and CISSP credentials), as expert advice for financial auditors, acts as a technical bridge by working alongside the auditors to assess the consequential impact of a security or data breach on the organization's going concern.

In the absence of a robust intrusion, detection controls and cybersecurity audits, the organization may not even be aware of “hidden” cyber-attack already infiltrated in its IT systems that could be stealing its patented new technology. This might result in an undetected impairment issue and other potential costs not reflected in the financial statements.

Before a cyber-attack happens or is detected:

By working with your CIO or IT departments to establish a Disaster Recovery Plan (DRP), the organization ensures that backups are immutable and off network. This strategy prevents temporary business interruptions from escalating into permanent shutdowns.

Arrange for IT or cybersecurity audits to be conducted annually to assess and evaluate the adequacy and effectiveness of the security controls in all IT systems.