Internal Auditing (Auditing and Assurance Principles) 19

HOLY ANGEL UNIVERSITY

School of Business and Accountancy
______________________________________________________

ADDRESSING CYBER SECURITY RISK WITH AUDITING THROUGH

IMPLEMENTATION OF TWO SYSTEM PROCESS AND AUDITING COURSES IN
SCHOOLS

______________________________________________________

In Partial Fulfillment
Of the Requirement of the Course
AAPRINCIPLES: Internal Auditing (Auditing and Assurance Principles)

_______________________________________________________

Presented to:

Mr. Renz P. Marasigan

Presented by:

Penaflor, Kyla Kane

Regala, Krisha Laine
Rocha, Angela Mae
A-333

_________________________________________________________
 Internal Auditing (Auditing and Assurance Principles) 19

TABLE OF CONTENTS

I. Executive Summary……………………………………………………….....3

II. Background of the Proposal…………………...……………………….…....4

III. Review of Related Literature and Study……………………………………6

IV. Significance of the Study…………………………………………………...9

V. Proposal Action Plan…………………………………………………...........11

VI. Projected Impact of the Proposal to the Profession…………………………14

VII. Concluding Statement………………………………………………….......16

References
 Internal Auditing (Auditing and Assurance Principles) 19

I. EXECUTIVE SUMMARY

As professions and operations in varying fields took advantage of the application of

advanced technology, potential risks within the company are also evolving and becoming

digitalized. A large number of chief executives stated that cybersecurity risk is considered as

the most alarming concern due to the drastic increasing of cybercrime each year and the

negative economy wide effect it brings. In order to reduce the risk, internal auditors are

determined who has the sufficient skills, experience, and knowledge for risk assessment and

provide an audit plan to address these issue (Institute of Singapore of Chartered Accountants

(2018). It also leads to an added concern that due to demand, there is not enough pool of

qualified internal auditors to take the role according to the study of Protiviti and ISACA

entitled “2019 Global IT Audit Benchmarking”.

The proposal not only provides an improvement to the profession but also to devise a

solution to address the cybersecurity risk of the supervised company. Technology system

course implemented in schools to produce well knowledgeable future auditors and establishing

training program for newly hired employees will develop their workforce performance.

Moreover, the proposal also suggest an additional process which will strengthen the risk

management assessment of the entity. The accountants are then increase their capability to take

more advanced roles and the companies will then possess qualified auditors.

The action plan of the proposers to implement an added course specialized in

digitalized auditing is to coordinate with the college administrative staff of the university to

prepare the submission of the paper to the Curriculum Office, then reviewed by the specific
 Internal Auditing (Auditing and Assurance Principles) 19

vice presidents in Academic and Student Affairs Office (ASA) and subject for approval to the

Commission on Higher Education (CHED). The process of the other two proposed solutions is

it will undergo approval stage by the Philippine Institute of Certified Accountants (PICPA)

then it will be passed to the Board of Accountancy for further examinations.

In contrast to the abovementioned positive impacts to the profession, it may suggest

otherwise such as not all universities and students has enough financial resources to include the

proposed course to their curriculum and the firm may think that is not the worth the effort and

investment to establish training program for the recruits and add a new auditing process. The

writers of the proposal concluded to reduce or eradicate these problems regarding the risks of

cyber security in firms and advancing the quality of the audited financial statements in three

ways.

II. BACKGROUND OF THE PROPOSAL

The world is entering a new age wherein technology and machineries considered now

as one of the basic necessities in life. The generation completely embrace the use of it to their

daily lives, even more in application of profession and business industry. Systems and

programs are recently developed norm as an aid for various professions in doing their

expertise. Since March 17, 1923, the day when the accounting profession was formally

recognized in the Philippines (PICPA, n.d.), the practice done by the Certified Public

Accountants (CPAs) are slowly adopting the use of system with integrated application that aids

them to manage and record business transactions. Such software serves as the major operation
 Internal Auditing (Auditing and Assurance Principles) 19

that store large pools of information within a company however, it demands consistent

maintenance and pose a risk to the whole operation.

In 2020, Barclay Simpson disclosed that 78% of chief audit executives (CAEs) assessed

that cyber security is one of the top risks to their organizations. From 66% of respondents

conducted previous year, there has been an increasing of threats to intellectual property and

digitalized security to different companies. In addition, nearly 20% have to do with the unease

of compliance and regulatory change (Hornsby, 2019). Cybersecurity is defined by Loo (2018)

as a series of complex web of programs and systems that is expected to counter act against

digitalized threats. The IT department may not have the sufficient knowledge and tools they

require to secure the systems. Numerous firms foreseen and determined the specific profession

that could thwart these risks are the internal auditors.

Internal auditors are professionals that specializes in evaluating and providing

assurance to the company regarding to risk management, internal control, governance, and etc.

In extension, internal audit is expected to perform the critical role in increasing the security

through analyzing and establishing new processes or programs. Internal auditors reports back

to the audit committee and board of directors with regards to the updates of control and

continuing proper function of the system as it is within the managements’ duty to be aware of

because the huge potential risk it can be bring to their company if not addressed wisely

(Deloitte, 2017).

A study did a rough calculation that approximately cybercrime has the potential to lose

over $2 trillion by the year 2019 which increased significantly from the year 2015 (Deloitte,
 Internal Auditing (Auditing and Assurance Principles) 19

2017). Cybercrime threats the hacking of confidential information such as financial statements

and supporting evidences which are not yet intended to release in the public. Furthermore,

malicious virus can corrupt an entity’s software that can destroy financial reporting data, alter

or stole the system’s code, unrecovered client’s information that will lead to large detrimental

effect especially if the company do most of its operations with the help of the system. Aside

from the thousands to millions of losses, companies are at risk to preserve their reputation

which is assumed to have a longer negative outcome and hence, limiting the chances of

opportunities and growth.

With the abovementioned scenarios and situations, the main purpose of this proposal is

to recommend ways further to strengthen the system’s security against threats, to increase the

number of knowledgeable and competent internal auditors to counteract and minimize the

risks.

III. REVIEW OF RELATED LITERATURE AND STUDIES

Cybersecurity risk, as stated by Adelman & et al. (2019), originates from hostile

intention to cybernetic attack that can give rise to disturbance and failure of systems and

ultimately cease the activity of the supervised entity. Evidences revealed that cybercrime has

been increasing and advancing as the companies continues to depend on the information and

communication technologies. Especially into these information age, practically every entity

manages their whole operation with the utilization of technology and Internet connectivity

which made them prone on cybersecurity risk whether they are big or small. Only those who
 Internal Auditing (Auditing and Assurance Principles) 19

run their business traditionally or manually are not expose to the threat of cybercrime (Institute

of Singapore Chartered Accountants, 2018).

Numerous news circulating in the world of famously known corporations, government,

and agencies that lost significantly of their resources and capital as well as get their image

tainted due to these. Based from these scenarios, chief executives ascertained that improving

their cybersecurity should be one of the top priorities of their company. Floods of reports from

analytics and Accenture, a consulting firm, discovered on a survey that almost 90% of the 450

financial firms intended to focus their funding on risk management to regards in preventing

cybercrime and fraud detection (Wilhelm, 2015).

On the other hand, although recognizes the essential on developing their company’s

cyber security, some chooses not to allot their spending on such. For instance, one of the top

shipping companies in Japan termed it as a “cost”. Other 64% of entities, in all sizes, also

stated the same opinion that they see it as an expense rather an investment based on the

conducted survey in 2017 (The Economist, 2020).

Nevertheless, it is viewed that internal auditor plays a crucial role because as stated by

Institute of Singapore of Chartered Accountants (2018), auditors should not overlook the

importance of cybersecurity risk for it is part of assessing the risk management of the business.

Alongside to above mentioned general consequences, it can cause damaged on managing the

financial statement that can turn into fundamental effect to the company. One instance scenario

is the undetected malware that may tamper the financial statements. Therefore, internal auditor
 Internal Auditing (Auditing and Assurance Principles) 19

ought to examine the possible repercussions of the risk to the auditing of financial statements

and assets as well as to express an opinion on how to address the issue.

Famous accounting firm, Deloitte (2017), expressed its opinion on the advantages of

requiring the services of internal auditors to combat the issue. The internal audit is capable of

examining and providing a comprehensive cyber risk assessment that extends to introducing

sound accurate discoveries and viewpoint to the company’s audit committee and board of

directors. Gathering those findings to construct a detailed audit proposal to decrease the

cybersecurity risk that could last for a single or multi-year audit period.

Internal auditors are called for to provide their expertise in reducing the level of risk the

cybercrime possess and which means several firms are in need of pool of competent internal

auditors. In addition to Deloitte’s (2017) statement, internal audit professionals with the

sufficient knowledge, skills, and experiences are in demand for they play a vital role to the

firm. Moreover, they are considered as “indispensable resource” if they are familiar to engaged

in the virtual world and has the proficiency to perform assessments. These was echoed with the

same sentiment by the IIA President and CEO Richard F. Chambers, CIA, QIAL, CGAP,

CCSA, CRMA, based from the excerpt of Horwath (2018), "The evolving responsibilities of

internal audit in addressing cybersecurity issues mean that audit professionals must develop a

clear understanding of the principles of data security and the cyber frameworks that apply

within their own organizations,"

Alongside with the increasing concern of cybersecurity risk, chief executives also pose

a challenge to recruit qualified professionals. Findings of a study conducted by the Protiviti and
 Internal Auditing (Auditing and Assurance Principles) 19

ISACA, a global association that aids corporations in the sector of IT audit/assurance,

governance, risk and information security space, entitled “2019 Global IT Audit Benchmarking

Study” stated the number of enterprises that are encountering insufficiency of skilled internal

auditors and discovered the most demand top five skills the corporations are looking for the

position.

Conducted survey revealed that entities with ranging from US$ 100 million to $ 1

billion net incomes, almost 32% of them are with limited resources and skills of professionals

in constructing an annual audit plan. The results indicates that even the executive big

corporations are dealing with the same issue as any other enterprises. The following are the

findings regarding the five skillsets in demand for internal auditors: expertise in advanced and

enabling technologies, critical thinking, data science, agile methodology, and communications

expertise with 44%, 32%, 27%, 20%, and 17%, respectively.

IV. SIGNIFICANCE OF THE PROPOSAL

Just like any other fields, auditing has also evolved with technology to constantly meet

the changing business models, new sets of requirements, and as strong defense for

cyberattacks. In order to help entities in assuring that they are coping up with this challenges,

internal auditing must evolve as well not just for the sole benefit of the organization, but also to

provide quality and unbiased internal control and business processes.

 Internal Auditing (Auditing and Assurance Principles) 19

Digitalized auditing is so rampant nowadays because it evidently help entities on

enhancing their credibility to build meaningful engagements. However, issues such as quality

of auditing with minimal human intervention, and cyber security, are commencing through this

advancement. With these, the proposers came up with this motion that will contribute on the

improvement of the profession.

Since the world is in the midst of Skills Revolution, the skills needed are changing

rapidly as a result of transforming organizations brought by the technology. Because of this,

relying on software and cloud-based services are emerging that is why it’s important to have

technology system course implemented in a school specifically specialized in digitalized

auditing. This way, students are already undergoing training to prepare them in engaging at

today’s demand, because technical skills are hard to find. This course is a better way for

greater understanding of the technical aspects of the work, and students who completed a

digitalized auditing course will give themselves a boost on their job performance when the

time comes. This proposal can contribute in the improvement of the profession because

nowadays, there is a big challenge in acquiring people with adequate skills in operating

automated solutions, and that is mainly because of the shortage in talents about the use of

digitalized processes. If students will have this course, it will heightened their ability to adapt

to this threatening productivity, and expand their minds to fresh skill sets that will give solution

to the global talent shortage, in order to attain sustainability and growth in engaging auditing

services.
 Internal Auditing (Auditing and Assurance Principles) 19

Another way that the proposers address this shortage issue is to implement or enhance

trainings among newly hired auditors and existing auditors to familiarize themselves more on

the system. Auditors must expand their skillsets more effectively to reduce risk and improve

controls within the organization. Companies must invest more in ensuring that the workforce

are reskilled by having workforce development program to future-proof their skills to avoid

being left behind. This learnings among the auditors will help them to become more aware on

how to maximize the use of auditing system and utilized it for performing quality

engagements. According to the World Economic Forum, the entities who are successful in

workforce transformation will be able to “harness new and emerging technologies to reach

higher levels of efficiency of production and consumption, expand into new markets, and

compete on new products for a global consumer base composed increasingly of digital

natives.”

One of the issues also encountered in today’s profession is the threat on quality of auditing

as a result of minimal human intervention because of the advancement brought by this

emerging technology. These threats in cyberattacks also continuously evolving that is why the

management have to set policies on how to address the capabilities of the firm in managing

these associated risks. The proposers suggested to have two process in conducting auditing to

increase the quality of auditing and that is to first have it on the digitalized process, and the

next one is to have a auditor who will still assess the information. These auditors plays crucial

role in helping organizations in the battle against managing cyber threats by giving

independent assessment and identifying opportunities to strengthen the security of the

enterprise.
 Internal Auditing (Auditing and Assurance Principles) 19

V. PROPOSAL ACTION PLAN

GOAL: To address cyber security risk by making accountancy students and auditors

knowledgeable about technology system in order to produce quality engagements.

Action Objectives Required Outcome

Description Resources
Implementing To prepare students Resources needed by To produce graduates
technology system in acquiring technical the schools to who completed
courses in schools skills needed to implement such are digitalized auditing
specialized in digital engage in today’s computer course to boost job
auditing. demand on talents laboratories, the performance and
regarding digitalized system needed and heightened their
processes. subscription fees. ability to adapt to the
threatening
productivity, and
expand their
knowledge to the
fresh skill sets.
Implementing or To help auditors in The resources needed To have auditors who
enhancing trainings familiarizing are having workforce have expanded their
among newly hired themselves more on development program skillsets effectively in
auditors and the system and through trainings, and order to reduce risk
existing auditors. become more aware the needed and improve controls
on how to maximize investment or funds within the
the use of auditing in doing so. organization, and
system and utilized it emerged in
for performing technology with
 Internal Auditing (Auditing and Assurance Principles) 19

quality engagements. higher levels of

efficiency production.
Executing two To address issue in Auditors and the To produce quality
process in auditing today’s profession auditing system are audits despite the
financial statements. regarding the threat needed for this threats on the
First in the system, on quality of auditing action. evolving technology.
then afterward have as a result of minimal
auditor who will human intervention
assess the because of the
information. advancement brought
by the emerging
technology.

This action plan identify the specific steps needed to take in order to achieve the goals and
objectives of the proposal.

Objectives Execution / Required

Description Resources
To pass the proposal The proposers must work with the faculty  Completed course
regarding team, the dean or director and administrative proposal form
implementation of or program coordinators prior to submitting  Sample syllabus
an added course any curriculum changes.  Request approval
specialized in Once settled, the next step is to contact the form
digitalize auditing. Curriculum Office to review the draft
proposal and to discuss the goals and
processes.
The initiators of the course proposal will have
to attend Curriculum Committee meeting to
answer questions and give clarifications.
For the next step of the approval process, the
 Internal Auditing (Auditing and Assurance Principles) 19

Academic and Student Affairs Office (ASA):

AVP of Academic and Student Affairs and
Provost/Executive VP will review and
determine whether to approve or disapprove
the said proposal.
Lastly, the recommendation of the proposal to
the Commission on Higher Education
(CHED) followed by the release of CHED
Memorandum Order.
To pass the The proposers will pass the proposal paper to  Completed
implementation of the Philippine Institute of Certified Public proposal form
two process in Accountants, which will eventually undergo  Request approval
auditing, and into approval stage. form
acquiring necessary The paper will be subject to assessment by
trainings for newly authorized professionals under PICPA and
hired and existing decide on whether to approve the proposal.
auditors. When the proposal got approved, it will be
passed to the Board of Accountancy for
further examinations until implemented.

VI. PROJECTED IMPACT OF THE PROPOSAL TO THE PROFESSION

Positive impact of the proposal

Today in the digital world in the year 2020, ICAEW (2020) stated that all

organisations, big and small, are investing in technology to improve their business. The auditor

rely on that technology and are required to test its operating effectiveness. Companies often

encounter problems arising from cyber security. It is where confidential information not to be
 Internal Auditing (Auditing and Assurance Principles) 19

known in public are usually hacked and used as threats to the competitors. It is through the

implementation of technology system courses in schools specialized in digital auditing,

enhancing trainings among newly hired auditors and existing auditor and the execution of two

process in auditing financial statements will improve the protection against the risks in cyber

security.

Proposing to have courses in digital auditing and the enhancement on their training,

auditors are now equipped with experts on different software applications and platform

technologies to inform their clients on the strengths of their security or change controls and to

be able to rely on automated functionalities such as reports, calculations or segregation of

duties. Having the right level of expertise of new technology allows us to provide the highest

quality of audit. Investment in people skills is the real secret to quality technology audit.

Having the two system process will lead to reduce the risks in compliance with the latest data

protection regulations to protecting the business against unauthorised access. Having the

system processing and human intervention in auditing will increase the quality of the audited

financial statements.

Negative impact of the proposal

As for the implementation of Digital Auditing as a course in Universities especially

here in the Philippines, not all universities can afford to have this as a course. Also in other

countries people may say that it is expensive to have this as a course for using such softwares

and tools in digital auditing. The feasibility may be a problem to other universities just like in
 Internal Auditing (Auditing and Assurance Principles) 19

state universities, a survey presented by Marcus (2018), that college students in state

universities cannot afford such courses that are kinda expensive with its laboratory expenses.

As for the two process in auditing financial statements, the managers or the administration or

any person interested in the firm may complain that it is time consuming as they are used to

have their audited financial statements fast with only automated machines and less human

intervention. Unfortunately continuing the way they want may degrade the quality of the

audited financial statements and increase the risks in cyber security.

VII. CONCLUDING STATEMENT

As our technology develops with innovation and inventions, the impact of solely

relying in it, problems may arise just like the risks in cyber security. It is very rampant today in

firms with technological advancement to experience problems with their security especially in

the cyber world. It is very alerting to address this problem for it will affect all of us including

the firms and the society. The writers of the proposal concluded to reduce or eradicate these

problems regarding the risks of cyber security in firms and advancing the quality of the audited

financial statements in three ways. First is to implement digital auditing course which is not yet

made available here in our country that is really needed for as we all know auditing digitally is

a trend today in every firms but we lack of people with expertise in digital auditing. The

writers firmly believe that if there would be such course, there'll be an increase of auditors with

expertise and vast knowledge digitally. The second part of the proposal which is the

enhancement of training to the auditors regarding digital auditing is aligned with the

implementation of the said course. As auditing is very crucially significant because of its
 Internal Auditing (Auditing and Assurance Principles) 19

opinion provided on the financial statements, auditing digitally today must be introduced and

be part of the training of the auditors regularly for them to be updated with our new technology

and work efficiently and effectively. Lastly, the third part of the proposal is to have a two

process in digital auditing. The first process is to let the automated system to audit the financial

statements and followed by the second process where the auditors will double check the

audited financial statements by the machine / software. This two process of auditing addresses

the problems regarding the increase of errors and advancing the quality of the auditing of

financial statements.

References:

Adelman, F., Gaidosch, T., Morozova, A., Wilson, C. (2019). Cybersecurity Risk Supervision.

Washington DC, International Monetary Fund.

Deloitte (2017). Cybersecurity and the role of internal audit: An urgent call to action.

Retrieved

from https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-risk-cyber-

ia-urgent-call-to-action.pdf

Hornsby, D. (2019). Top 5 key risks for internal auditors in 2020. Retrieved from

https://www.barclaysimpson.com/blogs/top-5-key-risks-for-internal-auditors-in-2020-

92829102719

Horwath, C. (2018, March 12). Internal Audit's Growing Engagement in Cyber Management.
 Internal Auditing (Auditing and Assurance Principles) 19

https://link.gale.com/apps/doc/A530688887/GPS?u=phhau&sid=GPS&xid=2f163051

ICAEW. (2020). A simple revolution for digital auditing and auditing digital.

https://www.icaew.com/technical/audit-and-assurance/faculty/audit-and-beyond/audit-

and-beyond-2019/audit-and-beyond-december-2019/a-simple-revolution-for-digital-

auditing-and-auditing-digital

Institute of Singapore Chartered Accountants. (2018, June). Cybersecurity risk considerations

in a financial statements audit. Retrieved from https://isca.org.sg/media/2240014/isca-

cyber-security-risk-report.pdf

Lane Community College. (2020). Course approval process.

https://www.lanecc.edu/curriculum/course-approval-process

Loo, Alex (2018). Why are cybersecurity audits important?. Retrieved from

https://www.echoworx.com/blog-are-cybersecurity-audits-important/#:~:text=Why

%20conduct%20cybersecurity%20audits%3F,should%20be%20reviewed%2C%20and

%20why.

Man Power Group (2020). The Future of Work and Skills.

https://www.manpowergroup.com/workforce-insights/the-future-of-work-and-skills

Marcus, J. (2018). New data show some colleges are definitively unaffordable for many.
 Internal Auditing (Auditing and Assurance Principles) 19

https://www.google.com/amp/s/hechingerreport.org/new-data-show-some-colleges-are-

definitively-unaffordable-for-many/

Menlo, P. (2019, October 15). IT Security, Privacy and Data Management Ranked as Top

Challenges Facing IT Audit Function, According to Survey from Protiviti and ISACA.

https://link.gale.com/apps/doc/A602726973/GPS?u=phhau&sid=GPS&xid=0621a15a

Milano, M. (2019b, March 12). The digital skills gap is widening fast. We Forum.

https://www.weforum.org/agenda/2019/03/the-digital-skills-gap-is-widening-fast-

heres-how-to-bridge-it/

PICPA (n.d.). History. Retrieved from

http://www.picpa.com.ph/content.html?article=History&page=About

Pundmann, S. (2019, February 26). Cybersecurity and the role of internal audit. Deloitte

United

States. https://www2.deloitte.com/us/en/pages/risk/articles/cybersecurity-internal-audit-

role.html

The Economist. (2020, July 18). The other virus threat; Cyber-security, 54(US).

https://link.gale.com/apps/doc/A629635596/GPS?u=phhau&sid=GPS&xid=21f953ce

Western Community College (2020). 5 Unexpected Benefits of Information Technology

Courses.
 Internal Auditing (Auditing and Assurance Principles) 19

https://westerncommunitycollege.ca/blog/5-unexpected-benefits-of-information-

technology-courses/

Wilhelm, C. (2015, May 12). Cybersecurity, Fraud Top of Mind for Bank Execs: Report.

American Banker, 1(72). https://link.gale.com/apps/doc/A413094686/GPS?

u=phhau&sid=GPS&xid=4ee72162