External Auditor’s Responsibility to consider Cybersecurity

Scope of auditor’s responsibility

The auditor is required to:

  • Understand how the business uses IT and the impact of IT on the financial statements,
  • Understand the extent of the company’s automated controls as they relate to financial reporting (including IT general controls that are important to the effective operation of automated controls and the reliability of company-produced data and reports used in the audit), and
  • Use his or her understanding of the business’s IT systems and controls in assessing the risks of material misstatement of financial statements, including IT risks resulting from unauthorized access.

The immediate conclusion may be that cybersecurity risk is not an area that requires special audit attention, but auditors would consider, as part of the risk assessment process, an entity’s business risks in the audit of financial statements. Cyber incidents can result in financial consequences and therefore, have an effect on the financial statements.

Cybersecurity risk should therefore be considered in every financial statement audit. Auditors should consider and assess the impact of such risk to the financial statements and, where necessary, the extent of the audit response required to address the risk.

It is important to note that the auditor’s role is limited to the audit of the financial statements and does not encompass an evaluation of cybersecurity risks of the company’s entire IT platform but only focusses on systems and controls affecting information used in the compilation of these financial statements.

Risk consideration and assessment

Risk assessment is part of the financial statements audit process and is a key fundamental process which must be performed during the planning phase of every audit. The auditor is required to identify and assess the risks of material misstatement in the financial statements, through understanding the entity and its environment, including the entity’s internal control. With an in-depth understanding of the entity’s business and environment (this includes an entity’s IT
and cyber environment), it enables the auditor to identify the risks, and to design and implement appropriate audit responses to address those identified risks. The auditor should obtain an understanding of the IT general controls, evaluate their design and determine whether the controls that are relevant to the audit have been implemented.

The auditor should determine whether any of the risks identified (which could include cybersecurity risks) are, in the auditor’s judgement, significant risks that require special audit consideration. If information about a material breach is identified, the auditor would need to consider the impact on financial reporting, including disclosures, and any reporting obligation.

Re-Assessing Cybersecurity Risk Every Year

Changes in the risk environment and the ways in which businesses operate mean that business risks do not remain constant. In one year, cybersecurity risk may not have been identified as a key business risk that may result in risks of material misstatement, but this does not mean that the same will apply for the next year. Significant and rapid changes in information systems, incorporation of new technologies into production processes, or expansion of operations can bring about new cybersecurity risk.

Audit responses to risks identified

Where cybersecurity risks may result in risks of material misstatement at the financial statement level, the auditor should take appropriate steps to address these risks. This may include assigning more experienced staff or those with special skills such as IT specialists to the engagement, incorporating additional elements of unpredictability in the selection of further audit procedures to be performed and modifying the nature of audit procedures to obtain more persuasive and corroborative audit evidence.

The auditor would have to determine whether continued reliance can be placed on the IT dependencies/automated controls; consider the need to revise the initial risk assessment, and the impact to the nature, timing and extent of other planned audit procedures. The auditor would have to respond to the ineffective IT control environment by obtaining more extensive audit evidence from substantive procedures.

Audit responses to cyber attacks

Companies that fall victim to successful cyber-attacks may incur substantial costs and suffer significant damage. The auditor should:

  • Understand the nature and cause of the incident, carefully consider the costs and any adverse consequences arising from the cyber incident, and evaluate the impact it may have on the financial statements.
  • Assess the impact of the attack on the entity’s future revenue, potential litigation expenses, cybersecurity protection costs, etc and future cash flows, which may affect impairment assessments.
  • Examine whether the breach may indicate going concern issues for the entity.
  • Evaluate whether appropriate disclosures are included in the financial statements.
  • Consider any other requirements to notify the appropriate authorities in case management has not made appropriate disclosures or considered the auditor’s recommendations.

October 2018 edition

In this Issue

Your tax deadlines for October

The due date for non-provisional taxpayers who submit their income tax via eFiling or electronically at a SARS branch is 31 October.

Time is running out and SARS is cracking down on late lodgements and failure to submit returns.

The penalty amount that will be charged for late lodgement depends on your taxable income and, says SARS, “can range from R250 up to R16,000 a month for each month that the non-compliance continues.”

Treat this deadline seriously!

Will the 21st century really be Africa’s time to flourish?

“We really need to have a third wave, and it needs to happen in sub-Saharan Africa” (Bill Gates)

Two factors often cited as to why “Africa’s time is coming” are:

  • Demographics – the huge populations of India and China are cited as a key factor in their rapid growth. Currently Africa is the fastest growing continent and its population is set to double by 2050.
  • Leapfrogging technology – for example, developing countries have set up banking in remote areas of East Africa by using cell phones powered by small solar panels. They have thus bypassed the whole process of setting up banking and electrical infrastructure.

Is it likely that these predictions will materialise and if so what impact will all this have on South Africa?

Demographics – the unseen flaw

It is accepted that large populations create a large potential market as has happened in Brazil for example. However to reap this benefit, populations need to start declining once development begins to take off. The reason for this is what is known as the “dependency ratio”.

In 1960, in developing countries in Asia, Africa and South America women had an average of six children. Since then the number has declined in Asia to 2.2 children and to 3 children in South America. However Africa has remained high at just under 5 children per woman.

Having fewer dependents allows parents to focus on their careers, grow their wealth and afford to spend more on things like education and health care on smaller families. As these smaller families rapidly join the middle class, this helps to provide the momentum for infrastructure development and rapid economic growth. As long as Africa has a high care dependency ratio, it will be extremely difficult to mirror China and India.

In South Africa our average number of births is 2.4 per woman which puts us in between Asia and South America. If we can get some basics right, like education, we could start to rapidly develop.


Mobile phones have been used for more than developing banking in Africa but smart phones are also used, for example, to help rural farmers. Satellites scan a farm and can tell the farmers which of their fruit trees have rot and need to be pulled out before the disease spreads to other trees. They can get advice on what crops to plant and how much fertiliser to use etc. Technology thus is enabling some African countries to progress at a rapid rate.

African countries still need infrastructure. There is no point in doubling your farming yield if you cannot get your product quickly and cost effectively to market. Without decent roads, ports, an effective legal system and no bottlenecks at border posts, Africa will struggle to fulfil its potential.

Many breakthroughs can be made with technology but without a decent foundation, leapfrogging will only have a limited impact.

We in South Africa have reasonable infrastructure but very high inequality and still need to focus on uplifting the poorer sections of the country and creating a more enabling environment to attract investment.

In a nutshell, South Africa is potentially well placed to move rapidly ahead. Things are unfortunately less certain for the bulk of our continent.

Surviving a business crisis: Consider your turnaround options

“Turnarounds seldom turn”
(Warren Buffett)

In the life cycle of any business, it will almost inevitably experience a crisis. This is always a very difficult time and it will be a test of judgment and experience how senior management respond. Usually, it will be some issue that is solvable and the business will continue to operate.

Sometimes however it is an existential threat and this will need careful thought and planning.

Stress drains your energy

Deciding whether to try and turn around a business or put it into liquidation is enormously stressful. Many careers and the family of staff and key stakeholders could suffer depending on the outcome.

It is unlikely there will be a second chance if the first decision made by management turns out to be incorrect.

What is the problem?

So the first thing to do is identify the core problem. There are many things to look at:

  • Is your business in a mature to old stage?
  • Are there disruptors like Uber in the industry?
  • Is there still demand for the product or service your business provides?
  • What sort of shape is your business in? Are systems and infrastructure creaking or worse?

Money, planning and analysis

Once the problem and a solution have been identified, don’t forget that turning around a business will take resources. Plan your cash flow carefully.

Business turnarounds are also high risk – remember they will often not work out. But careful planning and analysis will improve the odds of success – ask your accountants for their specialist help and advice at this crucial time.

Directors Beware! You could be held personally liable for data breaches

Hacking into computers has become common place. In the United States it grew by 45% in 2017. Yahoo, one of America’s largest Internet search engines, was recently the victim of cyber crime and disgruntled shareholders are suing the directors for dereliction of their fiduciary duties.

Hacking is a reality in South Africa also, which raises the issue of your personal liability as a director in the event of your company being exposed to cyber crime.

What do the Companies Act and King IV expect of directors?

Directors need to have “taken reasonably diligent steps to become informed about the matter” – in other words directors would be expected to know cyber crime has become commonplace and to take steps to ensure the company takes all the necessary actions to prevent outsiders getting access to company information. King IV specifically charges directors to “identify and respond to incidents, including cyber attacks…”.

Your risk is that as a director you are personally liable for any costs, losses or damages resulting from a breach of your duties.

How to protect yourself from liability

If a company suffers loss from a hacking incident, then directors need to show they have addressed the issue to the best of their ability if they want to avoid attracting such liability.

Whilst many of us may feel lost when it comes to technology, it is clearly an issue that exposes a company to significant risk. Make sure you and your board of directors gain an understanding of how to protect your business. You need also to ensure that in need you can show documentation to a court to prove that you acted with diligence to counter the risk of being hacked.

Importing from Amazon: You could be forced to register as an importer

“Forewarned is forearmed”
(Wise old proverb)

Picture this: Gavin brings in books and DVDs from Amazon (to take just one example – this applies to anything sourced from foreign online retailers like eBay, Alibaba etc). He pays VAT and Customs Duty on the products and is frustrated when his couriers don’t deliver his purchases. He gets even more frustrated after phoning them as they tell him that his products have not been released from Customs because he is not a registered importer.

When must you register?

If you bring in more than three shipments (or if your imports cumulatively are more than R50,000) per calendar year, then you are required to register as an importer with SARS. This has been a requirement since 2013, but SARS have only been enforcing it this year. This is in spite of the fact that VAT and Customs duty is already being recovered.

That’s bad news…

Registering as an importer is not easy. You have to:

  • Complete a DA185 and a DA185.4A1
  • Show proof of address
  • Have a tax clearance certificate
  • Have a certified ID copy
  • Lodge a bank statement
  • Lodge an affidavit stating that all the above information is correct.

The Customs Act and Regulations pertaining to importers are more than 6,000 pages long! Be warned, if you want to import a lot of books, DVDs or other goods, your life will get a whole lot more complicated. Don’t take chances here; ask your accountant for help if you fall into the net.

Get the most out of your audit while saving costs

With careful planning and good implementation, you can help your auditors give you not only a cost effective audit but one that gives you more assurance that your systems are sound and that your annual financial statements fairly reflect your economic position.

Firstly, lay a good base

  • Implementing strong internal controls and keeping up to date financial records will go a long way to ensuring a smooth audit.
  • Good internal controls mean the auditors will have faith in your systems and this will reduce the amount of testing they do.
  • Up to date financial records with monthly reconciliations of control accounts and explanations for significant variances will further enhance the audit process.
  • One of the key audit factors is determining the risk of the financial statements being misstated, so keeping abreast of your company’s financial risks and sharing this with the auditors will help reduce their audit time.

Then, communicate well

  • Have a meeting with your audit partner and advise him or her of what is happening in the business. If there is bad news, communicate this – the chances are the auditors will pick up the bad news during the audit and this could involve them doing extra work to assess how this will impact your financials.
  • At this meeting, find out which staff will be on your audit. Having auditors who have worked on your audit in previous years will save you time, as they will not need to spend additional time understanding your business.
  • The auditors plan a certain number of hours on your audit. Ask for this along with the hourly audit costs so you can plan your cash flow.
  • Usually you send the auditors a final trial balance and from this they assess what tests they will do. If you have some group companies, send a consolidated trial balance – it is easier for the auditors to understand how the business is performing if they work down from the highest to the lowest level.
  • When your auditors request information, make sure it is accurate and what they want. Once the audit starts, designate a senior finance person to liaise with the auditors and to meet regularly with them. Any queries or misunderstandings can be swiftly resolved. This person can monitor how the hours worked and audit costs are panning out, so if the audit looks as though it will run over budget, you can react before extra costs are incurred.

Your auditors’ recommendations

Your auditors will present you with their findings and suggestions as to how to correct any weaknesses they find. Most times you will implement their findings but if there are some you decide won’t work, discuss this with them and get their acceptance of your reasons for not making the proposed changes. This will save time at the next audit when the auditors check how your firm has progressed with their recommendations.

Good planning and good communications will help to keep your costs to a minimum whilst getting assurance on your accounting and internal controls.