Cyber risks abound as the markets for many products and services have gone global and cyberattacks are becoming more sophisticated and aggressive. Businesses must remain vigilant to protect their organizations against data breaches. External auditors have their eyes on cyber risks, too. They can help your company implement effective, up-to-date cybersecurity measures and internal controls over sensitive data.
How much do companies lose from cyberattacks?
The average cost of a U.S. data breach has reached a record high, according to “Cost of a Data Breach Report 2025,” published by IBM based on independent research from the Ponemon Institute. The study covers approximately 600 breaches worldwide between March 2024 and February 2025. It reports that the average cost rose to $10.22 million per incident in the current year, up roughly 9% from the previous year. The U.S. average is more than double the global average cost of $4.44 million per incident. (Note: The study removes exceptionally high-cost breaches to avoid skewing the results.)
These trends are alarming. The new study delves deeper into the details of recent breaches to find out what’s happening. Top findings include:
· The uptick in the average U.S. cost isn’t caused by less spending on cybersecurity. Instead, it’s related partly to rising regulatory fees and higher detection and escalation expenses (largely driven by increased labor costs).
· The costliest breaches involve company insiders, followed closely by third parties, such as contractors and vendors.
· The most frequent attack vector is phishing schemes (social engineering attacks targeting the company’s workers).
New to the 2025 report are insights on how artificial intelligence (AI) affects cyberattacks. The study finds that hackers used AI to infiltrate the organization’s systems in 16% of global incidents in the current year. Of these AI-driven breaches, 37% relied on automated phishing attacks and 35% used deep fakes (artificial imitations of a person’s likeness).
On the flip side, some companies are turning to AI to fortify their defenses against cyberattacks. The study finds that one-third of respondents use AI and automation extensively to prevent, detect, investigate and respond to data breaches. It reports that companies that extensively use these tools shortened their breach times by 80 days and lowered their average breach costs by $1.9 million compared to those that didn’t use these solutions.
What data may be targeted?
Hackers may try to steal valuable information about a company’s employees and customers. This sensitive data may include:
· Personal identifiable information, such as phone numbers, addresses and Social Security numbers,
· Protected health information, such as test results and medical histories, and
· Payment card data.
Hackers may also try to access a company’s network to steal valuable intellectual property, such as customer lists, proprietary software, formulas, strategic business plans and financial data. These intangible assets may be sold or used by competitors to gain market share or competitive advantage.
Companies are required to have effective controls over this data to comply with their obligations under various federal and state laws and industry standards.
What’s cybersecurity?
Cybersecurity is a process where controls are designed and implemented to:
· Identify potential threats,
· Protect systems and information from security events, and
· Detect and respond to potential breaches.
Hybrid and work-from-home arrangements have exposed growing cybersecurity vulnerabilities. Today, many companies have sensitive data stored in more places than ever before — including laptops, firm networks, cloud-based storage, email, portals, mobile devices and flash drives — providing many potential areas for unauthorized access.
How do auditors evaluate cyber risks?
As the frequency and severity of cyberattacks have increased, data security has become a critical part of the audit risk assessment. Breaches can undermine financial reporting systems and internal controls, increasing the risk of financial misstatement.
Cybersecurity procedures aren’t always explicitly detailed in auditing standards. However, the standards require auditors to develop an understanding of how a company uses information technology (IT) and how it affects financial reporting. Auditors focus on IT general controls and application controls. These controls safeguard data integrity, system access, change management and report reliability — all of which are critical in detecting cyber risks.
Auditors initially assess cyber risks when developing their audit plans and evaluating internal controls over financial reporting. They may re-evaluate these risks if the audit team uncovers a data breach that occurred during the period under audit or while conducting audit fieldwork.
Auditor teams typically use data analytics, IT specialists and inquiries to evaluate cyber risks. (See “Be prepared for cybersecurity audit inquiries” below.) In addition to verbal explanations, auditors will expect to see evidence of your cybersecurity practices and IT controls, such as:
· Board meeting minutes,
· Written cybersecurity policies and cyber-response plans,
· Cybersecurity risk assessment reports,
· Documentation of system patches and update logs, and
· Vendor contracts and performance reviews.
Ensure all documents are organized, dated and linked to your company’s internal control framework.
In addition to your financial statement audit, consider obtaining a System and Organization Controls (SOC) for Cybersecurity report from your CPA. (The American Institute of Certified Public Accountants developed SOC frameworks to provide assurance on the controls of a system or organization.) This independent assessment evaluates whether your cybersecurity program is well-designed, functioning effectively and capable of meeting its security objectives. The report gives stakeholders a clear, consistent picture of the company’s ability to manage cyber risks.
Is your company audit-ready?
Now is the time to ensure your cybersecurity controls are well-documented, tested and ready for auditor review. Be proactive — brief your H&S team in on any recent incidents or changes to your IT environment, and have evidence of your policies, procedures and controls at hand. Strong preparation streamlines the audit process and reinforces stakeholder confidence in your ability to protect sensitive data and maintain reliable financial reporting.
__________________
Sidebar: Be Prepared for Cybersecurity Audit Inquiries
When evaluating cyber risks, auditors need to have a comprehensive understanding of how your organization safeguards its information assets, detects and responds to threats, and ensures the integrity of data used in financial reporting. Here are some categories and examples of questions you can expect during fieldwork.
Governance and oversight
· Who has primary responsibility for cybersecurity oversight?
· How often is cybersecurity discussed at the board or management level?
· What policies and procedures do you have in place for managing cyber risks?
· Have there been recent changes to your cybersecurity strategy or governance?
Risk assessment and identification
· What processes do you use to identify new or emerging cyberthreats?
· How do you evaluate the potential impact of a cyber event on financial reporting?
· Are there specific IT systems or processes you consider “high risk” to financial data integrity?
· When was your last formal cybersecurity risk assessment performed, and what were the key findings?
Financial reporting system controls
· What user access controls exist for financial reporting systems?
· How do you review and approve access changes, especially for privileged accounts?
· How do you control and monitor system changes or software updates?
· What backup and recovery procedures have you implemented for key financial systems?
· Are your systems patched regularly to address known vulnerabilities?
Breach detection and response
· Have there been any cybersecurity incidents in the audit period, and, if so, how were they detected and remediated?
· How do you log and monitor security events?
· Do you have a formal incident response plan, and has it been tested recently?
· How quickly are stakeholders informed when a breach occurs?
Financial reporting effects
· Could a cyberattack prevent you from processing transactions or closing the books on time?
· Could a breach affect data integrity or completeness?
· Have you made any accounting estimates or disclosures related to cyberattacks?
Third-party risks
· Do you rely on third-party IT or cloud providers for financial data processing?
· What due diligence do you perform before engaging these vendors?
· How do you monitor ongoing third-party cybersecurity performance?
Testing and continuous improvement
· Do you conduct penetration testing or vulnerability scans?
· How do you address findings from internal audits, IT reviews or regulatory exams?
· Are cybersecurity training and awareness programs conducted for employees?
