Page 235 - CA Final Audit Titanium Full Book. (With Cover Pages)
P. 235
CA Ravi Taori
Future Safeguarding: Management should also plan for future actions to protect the organization from similar
attacks.
Recover from risk (Post Attack)
1A. Impact Evaluation: Undertake appropriate actions to evaluate the impact of the attack on the business.
1B. Regulatory Communication: Communicate the evaluated impact to the relevant regulators.
2A. Recovery Implementation: Implement a recovery plan to overcome the impact and restore business
operations.
2B. System Upgrades: Implement necessary improvements such as patch upgrades for better control.
2C. Security Enhancement: Improve technology infrastructure including firewall, anti-virus, and other security
tools to safeguard the entity.
(CNO DAA.200) Control considerations for Cyber Risks:
Apart from having the cyber security policies, procedures, framework and regular assessment in place,
management should have a strong and updated internal controls to ensure they are covered from cyber risks:
Controls around vendor setup and modifications:
1A. Responsibility: Determination of who is responsible for making changes to vendor master data, and
whether this process is centralized or decentralized.
1B. Systems and Technologies: Identification of the systems and technologies used to initiate, authorize, and
process requests related to changes to vendor master data.
2A. Communication Channels: Evaluation of the communication channels used to request changes to vendor
master data, such as email, and whether multi-factor authentication is enabled for these channels.
2B. Authentication Protocols: Assessment of the authentication protocols defined to verify modifications to
vendor master data, including call back procedures and multi-factor authentication.
3A. Cyber Schemes: Understanding of the cyber schemes where changes to bank account or other critical vendor
information are requested through email phishing scams by individuals pretending to be authorized vendor
personnel.
3B. Financial Impact: Analysis of the financial impact of inappropriate fund disbursement to these individuals,
leading to an inappropriate reduction in the liability owed to the actual vendor, and the subsequent effect on the
financial statements.
Controls around electronic transfer of funds:
Cyber Schemes: Understanding of the cyber schemes related to fraudulent requests for wire transfers or
electronic funds transfers, which are made in relation to business transactions, vendor payments, or appear to
come from financial institutions requesting disbursement from customer asset accounts.
1. Systems and Technologies: Identification of the systems and technologies used to facilitate the
request/initiation, authorization, and release of wire transfers.
2. Education: Assessment of whether personnel responsible for wire transfers are educated on the relevant threats
and information related to common phishing scams associated with fraudulent requests for wire transfers.
3. Authentication Protocols: Evaluation of the authentication protocols defined to verify wire transfer requests,
such as call back procedures and dual-authentication procedures.
Controls around patch management:
Cyber Attacks: Understanding of how cyber and ransomware attacks exploit known security vulnerabilities,
often caused by unapplied patches or upgrades, resulting in the manipulation or destruction of data.
Patch Notifications: Examination of how the entity is notified of patches by external vendors, such as Microsoft
for Windows patches.
Patch Management: Assessment of whether the entity has a patch management program in place.
Vulnerability Scans: Evaluation of whether the entity runs periodic vulnerability scans to identify
missing/unapplied patches.
www.auditguru.in 12.10