TAKEAWAYS
In today’s digital landscape, financial professionals are more than stewards of numbers, they are the custodians of sensitive data, frontline defenders against cyber threats, and ethical sentinels of trust in a hyperconnected world. The surge in cyberattacks targeting finance and audit functions underscores a crucial message: cybersecurity is no longer the exclusive domain of IT – it is now an ethical, operational, and strategic concern for all accountants and auditors.
This article highlights why cybersecurity is vital for financial professionals, outlines common cyber fraud risks facing finance teams, and offers actionable strategies to detect, prevent, and respond to cyber threats, while staying aligned with ethical expectations under EP100 Code of Professional Conduct and Ethics (EP 100) issued by ISCA.
The role of accountants and auditors has evolved. Today, professionals in finance manage and access an extensive array of digital assets – payroll records, tax filings, financial forecasts, and audit workpapers. This treasure trove of data makes them the prime targets for cybercriminals.
Recent cases have demonstrated how cyberattacks such as deepfakes and business email compromise scams have successfully infiltrated even well-defended financial departments. A 2024 incident involved an AI-generated video impersonating a company’s CFO, tricking a clerk into wiring over US$35 million to a fraudulent account. The illusion was so convincing that the finance staff believed they were following legitimate instructions.
Cybersecurity for accountants and auditors is not just about protecting data, it is about protecting reputation, compliance, and client trust.
Cybercriminals increasingly use social engineering, exploiting psychology rather than technical loopholes. Key tactics include:
1. Phishing, vishing, and deepfake attacks
Attackers pose as trusted sources via email, phone, or even AI-generated videos to extract login credentials or manipulate staff. These attacks exploit hierarchy, urgency or curiosity, creating believable narratives that are hard to ignore.
2. Business email compromise
Fraudsters infiltrate or spoof a senior executive’s email account, instructing staff to approve fake invoices or transfer funds. The instructions often mimic real communication styles, increasing the likelihood of compliance.
3. Ransomware and data breaches
In ransomware attacks, malicious software encrypts financial data, holding it hostage for payment. Data breaches, often caused by weak access controls or outdated systems, can expose client records and confidential financial data, potentially breaching Singapore’s Personal Data Protection Act (PDPA).
4. Theft of digital assets
This includes the unauthorised access and sale of sensitive financial models, client data, or intellectual property, exposing organisations to loss of competitive advantage and regulatory sanctions.
Accountants and auditors are in a unique position to lead cybersecurity efforts across their organisations by integrating strong controls, promoting ethical awareness, and collaborating with IT and governance functions.
1. IT general controls (ITGC) awareness
Understanding and evaluating ITGC is foundational for effective cybersecurity in finance. These include:
2. Network and cloud controls
Accountants must understand the cloud environments where financial data is stored and processed. Key practices include:
Application controls such as input validation, processing verification, and output accuracy help ensure the integrity of financial data across systems.
3. Cyber risk assessments and continuous monitoring
Financial professionals should be involved in cybersecurity risk assessments to:
Ongoing monitoring – using automated alerts and anomaly detection – provides early warning of suspicious activity.
EP100, updated to reflect the impact of technology, highlights key ethical considerations for accountants in a digital environment:
1. Confidentiality and data protection
Financial professionals must safeguard sensitive data through encryption, secure disposal, and robust access controls. With increasing reliance on cloud-based systems, professionals must ensure data confidentiality throughout its lifecycle.
2. Professional competence and due care
Competence now includes a working knowledge of cybersecurity fundamentals. Accountants and auditors should understand risks related to data analytics, AI, and system vulnerabilities, and undertake continuous learning to keep pace with technological advancements.
3. Independence and objectivity
Cybersecurity consulting, system implementation, or data hosting by an auditor’s firm could impair independence. Ethical safeguards must be established to avoid self-review threats and advocacy threats, particularly when the same firm audits systems it helped build.
Cybersecurity is a shared responsibility. Here’s how accountants and auditors can actively contribute:
Cybersecurity is now an essential competency for financial professionals. Whether it is safeguarding ledger systems, preventing invoice fraud, or protecting client data, accountants and auditors are key guardians in the digital domain.
By understanding cyber risks, applying ITGCs, evaluating network/cloud security, and upholding ethical principles, financial professionals can move from passive gatekeepers to active defenders of organisational integrity and public trust.
The threat landscape will continue to evolve and so, too, must our vigilance, skills, and ethical commitment.
Yoong Ee Chuan, FCA (Singapore), CIA, CISA, CISM, ISCA(FFP), CFE, is Founder and Managing Director, RxE Integrity Advisory.
© 2024 Institute of Singapore Chartered Accountants
