Why is Cybersecurity Risk the Most Significant Audit Risk That Today’s Federal Programs Face?

By Tony Wang, CRS Partner and Kieran Hennessy, CRS Senior Manager

Audit risk is fundamental to the auditing process. Auditors normally leverage a traditional audit risk assessment process in order to effectively audit an entity’s programs and financial statements. However, cybersecurity risk is seldom considered sufficiently when auditors identify and assess risks that may impact an audit, especially for audits of the Federal government and its programs.

Cybersecurity risk, or the risk that the confidentiality, integrity, and/or availability (CIA) of an organization’s data may be compromised, has become one of the most significant business risks for organizations worldwide due to the disastrous impact a cybersecurity attack can have on an organization’s business operations. Furthermore, there is strong evidence that the Federal government and its programs are facing significant cybersecurity risk. Evidence to support this includes recent reports that discuss the ubiquity of cyberattacks, the importance of Federal programs for national wellbeing, and the known weaknesses of Federal cybersecurity programs that are operating on antiquated information systems and insufficient resources.

Accordingly, cybersecurity risk must be seriously considered when assessing the audit risk for any type of Federal government audit. Audit risk may be significantly increased due to substantial cybersecurity risk—the risk that the CIA of a Federal agency and its programs’ data is compromised. And if an auditor incorrectly assesses audit risk as a result of not sufficiently considering cybersecurity risk, it may potentially result in an audit misstatement.

Cybersecurity has become the eminent focus of private and government organizations as the world has progressed further into the digital age, especially in recent years with the remote work environment of the COVID-19 pandemic. Because of the highly valuable data (e.g., financial data, personally identifiable information (PII), confidential data, etc.) such organizations possess, they are primary targets for cyberattacks. In addition, major data breaches occur every year and carry significant cost impacts. According to IBM research, the average cost of a data breach can be over $4M in 2021. Some examples include: the PII breach of the Office of Personnel Management (OPM) in 2015, the Equifax breach in 2017, the Facebook and Capital One breaches in 2019, the Marriot International breach in 2020, and most recently the SolarWinds & Microsoft Exchange breaches that affected both private organizations and Federal agencies in 2021.

The recent SolarWinds and Microsoft Exchange breaches highlight how vulnerable Federal agencies are because they affected a majority of Federal agencies. Recent evidence also shows that the supply chain (e.g., software companies) is a target for cyberattacks ultimately seeking to breach its customers, which include Federal agencies. Moreover, the latest annual Federal Information Security Modernization Act (FISMA) Report from Congress confirmed that over 30,000 cybersecurity incidents were reported by Federal agencies in 2020, which is a visible increase over the previous years. Also, based on the requirements depicted as part of the OMB Memorandum M-20-04, there were at least six major cybersecurity incidents in FY 2020 that affected Federal agencies such as the Department of Defense, Department of Education, and Department of Homeland Security.

In addition, available evidence indicates that Federal agencies will continue to be a focus of cybersecurity adversaries for two main reasons. First, Federal programs hold mass amounts of valuable sensitive data. For example, Federal programs possess financial data (such as data related to grants management programs like the COVID CARES Act Program), mass quantities of PII, and confidential information related to how the Nation operates. Second, effective cybersecurity practices remain a serious challenge in the Federal space. Federal agencies will continue to face challenges because their cybersecurity programs are operating on outdated IT assets that are susceptible to attack and relying on insufficient resources, and they will need additional years of dedicated improvement.

Because Federal agencies are facing significantly higher cybersecurity risks, audit risk is also drastically increased for Federal program audits, including performance audits and financial statement audits. From the material misstatement perspective, audit risk consists of two main types: inherent risk and control risk. Inherent risk is the risk of material misstatement that may impact an important audit area (e.g., Payroll; Property, Plant, and Equipment; Disbursements; and Accounts Receivable) due to errors. Control risk is the risk that an internal control does not prevent a material error in a certain area under audit. Cybersecurity risk can definitely affect both of these types of risks. If the CIA of Federal data is compromised, the audit conclusion could be materially impacted. Specifically, the loss of data confidentiality would mean sensitive data is exposed to malicious attack, which could significantly impact a Federal agency’s reputation and potentially increase the control risks to the point of control failure. For example, if there were a Ransomware attack, it may trigger miscalculation of financial data due to a large unknown expense not accounted for during the audit testing period. And the loss of data integrity would potentially impact the accuracy and completeness of the financial data that is being audited. Subsequently, inherent risk will most likely increase if financial data integrity is no longer reliable. Auditing inaccurate financial data may directly result in material misstatement because the correct data (e.g., transactions) is no longer available for auditors to perform tests. Finally, the loss of data availability could prevent key controls from working, or critical business processes from being timely performed, which increases the inherent risk. Controls can be circumvented if a system is not available to process financial transactions or conduct critical business processes in a manner that is timely, complete, and accurate.

In conclusion, cybersecurity risk has become one of the most significant risks to Federal programs, as evidenced by the recent spike in cyber breaches of Federal agencies, data, and program operations. If Federal data and processes are compromised due to cyberattacks, this will result in significant negative impact to audit risks. If auditors misunderstand the severity of cybersecurity risk and thus ultimately misjudge the audit risks, it will have a detrimental effect on the audit results, which can significantly undermine the auditor’s reputation or lead to loss of business. Therefore, auditors must consider cybersecurity risk as one of the most significant audit risks affecting Federal programs today.

References:

• https://www.forbes.com/sites/bernardmarr/2022/03/18/the-biggest-cyber-security-risks-in-2022/?sh=7a93ecd17d7b

• https://www.whitehouse.gov/wp-content/uploads/2021/05/FY-2020-FISMA-Report-to-Congress.pdf

• https://federalnewsnetwork.com/cybersecurity/2022/01/congress-wants-to-overhaul-fisma-agencies-already-measuring-security-differently/

• “Executive Order on Improving the Nation’s Cyber Security.” The White House, 12th May 2021, https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/