Research reveals a surprising line of defence against cyber attacks: accountants
- Written by Charlene Chen, Senior Lecturer in Accounting, Macquarie University
When Optus[1], Medibank[2] and non-bank lender Latitude Financial[3] were hit by separate cyber attacks in the past few years, millions of Australians felt the fallout: stolen personal data, disrupted services and weeks of uncertainty. Each breach raised the same uncomfortable question: how can this keep happening?
Australians are often told cybercrime is unavoidable. Companies store vast amounts of data. Systems are complex. Attackers are sophisticated. Breaches feel like a matter of “when”, not “if”.
As a result, responses tend to focus on technology: firewalls, encryption, software updates and staff training. These are all important. But cyber risk is not just a technical problem. It is also a governance problem[4].
Our research[5] suggests a quieter line of defence against attacks is already embedded inside many companies, albeit one many people rarely think about: auditors – a specialised type of financial accountant.
We found auditors who have previously worked with a company that suffered a cyber breach become far more vigilant across all their other clients. That experience changes how closely they question systems, controls and risk – even at companies that have never been hacked.
Asking the tough questions
Behind every system in a company sits a set of decisions: who is responsible, how risks are monitored, whether warnings are acted on and whether controls work in practice. This is where auditors come in.
Auditors are independent professionals who examine whether a company’s financial reporting systems and internal controls are working as they should. Internal controls are the checks and processes that help prevent errors, fraud or system failures.
Auditors do not write code or manage servers. But they ask hard questions about how systems are designed, who oversees them and whether management understands the risks.
As companies have become more digital, financial systems and IT systems have become deeply intertwined. A failure in one can quickly affect the other.
What we did and what we found
Our research[7] examined more than 2,800 companies in the United States over a 16-year period. We tracked what happened after an auditor’s client suffered a cyber breach – and how that experience affected the auditor’s work with other clients.
The pattern was clear. Auditors who had dealt with a breached client became tougher elsewhere. We found they were 21% more likely to identify serious weaknesses in systems and controls at their other clients.
These were not random or defensive decisions. The weaknesses were often linked to technology oversight and access controls, areas closely tied to cyber risk.
Just as importantly, when these auditors issued a clean bill of health – meaning they did not identify major control problems – those companies were less likely to suffer a cyber breach later. Their clean assessments were more reliable.
A tougher mindset
We also interviewed auditors who had worked with breached clients. Their responses revealed a shift in mindset. One told us:
In the past, whatever came from the system, we said, “it’s OK, because it’s from the system”. Now we always ask: “is this really accurate?”
Others described spending more time testing controls, questioning management assumptions and involving IT specialists earlier. Living through a breach made risks tangible rather than abstract.
As one interviewee put it, breach experience becomes something that “can be brought across different clients”.
Lessons for Australia
Although our study uses US data, the implications are highly relevant to Australia.
Australia has experienced some of the world’s most high-profile cyber breaches in recent years. Cybercrime is one of the fastest-growing threats to Australian businesses.
Regulators are responding. The Australian Securities and Investments Commission has warned boards that cyber resilience is now a core governance responsibility[8]. The Australian Prudential Regulation Authority requires financial institutions to demonstrate strong information security practices[9].
There is another local reason this matters. Australia’s largest listed companies are audited largely by global firms such as PwC, Deloitte, EY and KPMG. These firms share methodologies and lessons across borders.
That means insights from overseas breaches can influence audit practice in Australia before the next crisis hits.
Another dimension of cyber risk
Auditors are not cybersecurity experts, and responsibility still lies with company management and boards.
But auditors bring scepticism, independence and a system-wide perspective that many organisations lack internally. Their work often happens quietly, long before consumers feel the impact of a breach.
For investors, there is also a signal. Companies audited by breach-experienced auditors, especially when those auditors give a clean assessment, are statistically less likely to be hacked later. Audit quality is another dimension of cyber risk.
As cyber threats escalate, the auditing profession may be forced to evolve further. For Australian companies, that evolution could be timely. With public trust fragile and regulatory scrutiny increasing, learning from past breaches, even those overseas, may help prevent the next major data breach headline at home.
References
- ^ Optus (www.abc.net.au)
- ^ Medibank (www.abc.net.au)
- ^ Latitude Financial (www.latitudefinancial.com.au)
- ^ a governance problem (www.oecd.org)
- ^ research (doi.org)
- ^ Fili Santillán/Unsplash (unsplash.com)
- ^ Our research (doi.org)
- ^ a core governance responsibility (www.asic.gov.au)
- ^ strong information security practices (www.apra.gov.au)
- ^ Diego Fedele, Joel Carrett, Dan Himbrechts/AAP (photos.aap.com.au)
