top of page

What Auditors Get Wrong About Auditing Cybersecurity

Tichaona Zororo
Director of Enterprise Governance of IT (EGIT)  

Session Outline

According to Cybersecurity Ventures the global annual cost of Cybercrime will reach USD 8 Trillion in 2023. It predicts global cybercrime damage costs will grow by 15 percent per year over the next five years, reaching USD 10.5 Trillion annually by 2025, up from USD 3 Trillion in 2015. Cybersecurity is a business issue and not an IT issue. Cybercrime can affect a business for years after the initial attack occurs and costs can run into Billions of Dollars. The costs associated with cyber-attacks, lawsuits, insurance rate hikes, criminal investigations and bad press can put a company out of business quickly.


Most auditors who follow a risk based agile audit approach will certainly have cybersecurity auditing in their dynamic agile audit plan. But why is cyberattacks continue to scale at unprecedented, alarming scale. What is it that auditors are not getting right when it comes to auditing cybersecurity?


In this session delegates will learn what auditors are missing and getting in about cybersecurity. Delegates will learn the following:

  • The mistakes auditors make when auditing cybersecurity and how to avoid them

  • Why it is critical to obtain an in-depth understanding of the business when performing a value-adding cybersecurity audits

  • How to put cybersecurity concerns in the context of business objectives

  • Critical Business Cybersecurity Metrics

  • Impact of Cybersecurity on products and services affected

  • Cybersecurity insurance covers

  • Connecting Cybersecurity to Enterprise Goals

  1. Revenue

  2. Financial Materiality of Cyberattacks

  3. Legal and Regulatory Implications

  • Align cybersecurity audit finding with missing, failed or broken controls – tie the findings to critical functions of an enterprise

  • Presenting Cybersecurity as a strategic risk

  • Connecting cybersecurity to legal and regulatory implications

  • How to report cybersecurity audits

bottom of page