Key Takeaways:
- Cybercrime is a growing threat to Australian businesses, with high-profile breaches in recent years affecting millions of people
- Auditors can play a crucial role in preventing cyber breaches by identifying weaknesses in systems and controls
- Auditors who have worked with a company that suffered a cyber breach become more vigilant and are 21% more likely to identify serious weaknesses in other clients
- The auditing profession can provide a quieter line of defence against cyber attacks, with a focus on governance and risk management
- Companies audited by breach-experienced auditors are statistically less likely to be hacked later, making audit quality an important dimension of cyber risk
Introduction to Cybercrime in Australia
When major companies like Optus, Medibank, and Latitude Financial were hit by separate cyber attacks, millions of Australians felt the fallout: stolen personal data, disrupted services, and weeks of uncertainty. Each breach raised the same uncomfortable question: how can this keep happening? The frequency and severity of cyber breaches have led to a sense of inevitability, with many believing that it’s not a matter of "if" but "when" a breach will occur. However, research suggests that a quieter line of defence against attacks is already embedded inside many companies, albeit one many people rarely think about: auditors.
The Role of Auditors in Cybersecurity
Auditors are independent professionals who examine whether a company’s financial reporting systems and internal controls are working as they should. Internal controls are the checks and processes that help prevent errors, fraud, or system failures. Auditors do not write code or manage servers, but they ask hard questions about how systems are designed, who oversees them, and whether management understands the risks. As companies have become more digital, financial systems and IT systems have become deeply intertwined, and a failure in one can quickly affect the other. Auditors are increasingly focusing on company IT systems, recognizing the critical role they play in preventing cyber breaches.
Research Findings
A study of over 2,800 companies in the United States over a 16-year period found that auditors who had dealt with a breached client became tougher in their assessments of other clients. These auditors were 21% more likely to identify serious weaknesses in systems and controls, often linked to technology oversight and access controls. The weaknesses identified by these auditors were not random or defensive decisions, but rather a result of a more vigilant approach to auditing. When these auditors issued a clean bill of health, those companies were less likely to suffer a cyber breach later, making their assessments more reliable.
A Shift in Mindset
Auditors who had worked with breached clients revealed a shift in mindset, becoming more sceptical and questioning of management assumptions. They described spending more time testing controls, involving IT specialists earlier, and asking tougher questions about system design and risk management. This shift in mindset is critical in preventing cyber breaches, as it recognizes that risks are tangible rather than abstract. As one auditor noted, breach experience becomes something that "can be brought across different clients," highlighting the importance of learning from past breaches.
Lessons for Australia
The implications of this research are highly relevant to Australia, which has experienced some of the world’s most high-profile cyber breaches in recent years. Cybercrime is one of the fastest-growing threats to Australian businesses, and regulators are responding by emphasizing the importance of cyber resilience as a core governance responsibility. The Australian Securities and Investments Commission has warned boards that cyber resilience is now a core governance responsibility, and the Australian Prudential Regulation Authority requires financial institutions to demonstrate strong information security practices. The fact that Australia’s largest listed companies are audited largely by global firms such as PwC, Deloitte, EY, and KPMG means that insights from overseas breaches can influence audit practice in Australia before the next crisis hits.
The Future of Auditing
As cyber threats escalate, the auditing profession may be forced to evolve further. For Australian companies, this evolution could be timely, with public trust fragile and regulatory scrutiny increasing. Learning from past breaches, even those overseas, may help prevent the next major data breach headline at home. Auditors are not cybersecurity experts, and responsibility still lies with company management and boards. However, auditors bring scepticism, independence, and a system-wide perspective that many organisations lack internally. Their work often happens quietly, long before consumers feel the impact of a breach, making audit quality an important dimension of cyber risk. By recognizing the critical role that auditors play in preventing cyber breaches, companies can take a more proactive approach to cybersecurity and reduce the risk of a breach occurring.
