Mon - Sat8.00 - 18.00 Sunday CLOSED
Offices47 Trinidad Terrace New Kingston, Jamaica.
[email protected]
1876 9265210
 
AI Assurance AuditorsAI Governance & ComplianceAI in AuditAI in Regulated IndustriesAI Risk ManagementArtificial Intelligence (AI)Audit & AssuranceAudit & Assurance InsightsAudit and Assuranceaudit and assurance firm in jamaicaAudit and Assurance ServicesCybersecurity & PrivacyCybersecurity & TechnologyCybersecurity and Technology RiskCybersecurity AssuranceCybersecurity for SMEsCybersecurity InsightsCybersecurity Services

Cybersecurity and the External Audit: What Caribbean Boards Should Expect from Auditors on Cyber Risk

May 24, 2026by Dr Dawkins Brown

Walk into any Caribbean boardroom in 2026 and ask the directors what their external auditor does about cybersecurity. The answers will fall into three categories. Some directors will say their auditor audits cyber. Some will say cyber is the IT manager’s problem and not an audit matter. A few will say it is somewhere in between but they are not quite sure where. All three answers are wrong — but the third comes closest to the truth.

The relationship between the external audit and cybersecurity is a precise one, and it is widely misunderstood. The external audit does not, in any meaningful sense, audit cybersecurity. The auditor is not engaged to opine on the entity’s cyber defences, and a clean audit opinion is no statement on cyber posture. At the same time, the external audit cannot simply ignore cyber risk — because in a digitised entity, cyber risk and financial reporting risk are interwoven in ways the standards now require the auditor to address.

This article unpacks that boundary. It explains what the external auditor must do about cyber, what the auditor is not engaged to do, and what an audit committee should expect to see at the intersection. For CIOs, CISOs, audit committee chairs, and CFOs across the Caribbean — all of whom have an interest in this question — the article also offers four specific questions worth asking before the next audit cycle begins.

What the External Audit Is — and Is Not

The external audit, conducted under the International Standards on Auditing, exists to express an opinion on whether the financial statements give a true and fair view, in all material respects, in accordance with the applicable financial reporting framework. That is the engagement. Everything the auditor does flows from that purpose.

Cyber risk enters the audit only insofar as it could materially affect the financial statements. That is a real and increasingly significant overlap, but it is not the same thing as auditing cyber. An entity may have weak cybersecurity controls and still have correctly stated financial statements. Conversely, an entity may have excellent cybersecurity controls and still have material misstatements arising from unrelated matters. Cyber risk and financial reporting risk are correlated but not coterminous.

The auditor’s role, therefore, is narrower and more precise than the popular framing suggests. The auditor is required to:

  • Understand the IT environment relevant to financial reporting, under ISA 315 (Revised), including the IT applications, the supporting infrastructure, and the IT general controls that govern access, change management, and operations.
  • Identify and assess the risks of material misstatement that arise from the entity’s use of IT — including risks of unauthorised access to financial data, unauthorised changes to financial applications, and disruption to systems supporting the financial reporting process.
  • Design and perform audit procedures responsive to those assessed risks — typically a combination of IT general controls testing, application controls testing, and substantive procedures including data analytics.
  • Evaluate whether any cyber incidents that occurred during the period — or after the period and before the financial statements are issued — have implications for the financial statements, disclosures, or going-concern assessment.

Notice what is on this list and what is not. The auditor must understand and test IT general controls relevant to financial reporting. The auditor is not engaged to test the entity’s firewalls, run penetration tests, evaluate the SOC, or opine on the maturity of the entity’s cyber programme. Those are valuable services. They are not the financial statement audit.

“Cyber risk and financial reporting risk are correlated but not coterminous. The auditor’s interest in cyber is precise: when it could affect the financial statements.”

Where Cyber Risk Meets the Financial Statement Audit

Five specific situations bring cyber risk inside the external audit scope. Each is worth understanding because each is a place where the auditor must do meaningful work, and where the audit committee should expect to see substantive evidence in the audit file.

One  |  IT General Controls Over Financial Reporting

Under ISA 315 (Revised), the auditor must identify the IT applications relevant to financial reporting — the ERP, the general ledger, the consolidation system, the payroll application, the fixed asset register — and assess the IT general controls that govern those applications. The principal areas are access management (who can post to the general ledger, who can change master data, how privileged access is granted and revoked), change management (how application changes are authorised, tested, and migrated), and IT operations (backup, recovery, job scheduling).

A failure in any of these areas is, simultaneously, a cyber control failure and a financial reporting control failure. The user with unauthorised journal-posting access is both a cyber exposure and a misstatement risk. The change management process that allows untested code to reach production is both a cyber concern and a financial reporting concern. The audit is required to engage with these — not as a cyber audit, but as a financial reporting audit that recognises the technology environment in which financial reporting actually happens.

Two  |  Cyber Incidents During the Period

Where the entity has experienced a cyber incident during the reporting period — a ransomware event, a business email compromise, an unauthorised access incident, a data exfiltration — the auditor must evaluate whether the incident has financial statement consequences. Those consequences may include direct losses (ransom payments, remediation costs, forensic fees, legal costs), contingent liabilities (potential regulatory fines, class action exposure, customer notification obligations), insurance recoveries, and disclosures of significant subsequent events or going concern uncertainty.

Cyber incidents also raise questions about the integrity of the financial data itself: was the general ledger touched, were master files altered, was there a period during which the systems supporting financial reporting were compromised? These are questions the auditor must ask, and the entity must be prepared to answer with evidence.

Three  |  Going Concern and Cyber Resilience

ISA 570 (Revised) requires the auditor to evaluate the appropriateness of management’s use of the going concern basis of accounting. Increasingly, cyber resilience is a going-concern factor. An entity that depends materially on a small number of digital channels — an online retailer, a digital bank, a fintech, a SaaS provider — faces an existential cyber exposure that is properly within the auditor’s going concern enquiry. The question is not whether the entity’s cyber posture is mature; it is whether a plausible cyber event could threaten the entity’s ability to continue as a going concern within the foreseeable period.

Four  |  Fraud Risk Through Cyber Vectors

ISA 240 — The Auditor’s Responsibilities Relating to Fraud — has always required the auditor to consider fraud risk. In the modern Caribbean entity, the principal fraud vectors are now cyber: business email compromise leading to fraudulent payments, social engineering of finance staff, insider misuse of system access, manipulation of payment files between approval and bank submission. The auditor’s fraud risk assessment, journal entry analytics, and controls testing must engage with these vectors — again, not because cyber is being audited for its own sake, but because cyber is now where the fraud is.

Five  |  Third-Party and Cloud Dependencies

Most Caribbean entities now depend on third parties for material elements of their financial processing: cloud-hosted ERP and accounting platforms, payroll bureaus, payment processors, custodians, settlement utilities. The auditor must understand these dependencies, evaluate the controls at the service organisation (often through reliance on ISAE 3402 / SOC 1 reports), and consider the cyber risk arising from third-party access to financial data. A breach at a service provider can become a financial reporting issue at the audit client — and the auditor is required to think this through.

“In the modern Caribbean entity, the principal fraud vectors are now cyber. The auditor must engage with these — not because cyber is being audited, but because cyber is now where the fraud is.”

What the Audit Committee Should Expect to See

A competent audit of a digitised Caribbean entity in 2026 should produce — at the audit committee level — a clear and substantive cyber-relevant component of the audit communication. Specifically, the audit committee should expect:

  • A documented IT environment scope — which applications, which infrastructure, which third parties — that the audit committee can read and understand.
  • An IT general controls findings report identifying any deficiencies in access, change, and operations relevant to financial reporting, with clear distinctions between significant deficiencies, material weaknesses, and lower-rated observations.
  • An explicit auditor view on any cyber incidents that occurred during the period — whether they have financial statement implications, what the entity has done to assess and respond, and whether the auditor is satisfied with management’s evaluation.
  • An updated fraud risk consideration that reflects current cyber-vector fraud patterns, with linkage to the audit’s journal entry analytics and other fraud-relevant procedures.
  • Where relevant, a going concern enquiry that incorporates the entity’s material cyber exposures — particularly for entities where digital channels are the principal business.

What the audit committee should not expect is an audit opinion on the entity’s cyber programme. That is a separate engagement — typically a SOC 2 examination, an ISO 27001 certification, a NIST CSF assessment, or a Dawgen Global CARISK™ cyber risk review — and the audit committee should be clear about which engagement they are buying when they are buying it.

Four Questions to Ask Your Auditor

  • How do you scope the IT environment relevant to our financial reporting, and how have you tested the IT general controls? You are asking whether the auditor has engaged seriously with the IT environment under ISA 315 (Revised), or has treated it as a peripheral matter.
  • If we suffered a material cyber incident during the period, what would your audit response look like — what would you ask us to provide, and what would you evaluate? An auditor who has not thought this through in advance is an auditor who will improvise badly in a crisis.
  • How do you address cyber-vector fraud risk in our audit — specifically business email compromise, payment file manipulation, and insider system misuse? The answer reveals whether the auditor’s fraud risk assessment has caught up to current fraud patterns.
  • Where do you stop, and where do we need to engage someone else? The competent auditor will tell you clearly that the audit is not a cyber audit, will explain what is in scope and what is not, and will be straightforward about when an additional engagement — a SOC examination, a cyber risk review — is the right complement to the audit.

How Dawgen Global Approaches the Cyber-Audit Intersection

Within D·ASSURE™, the cyber-audit intersection lives in the U pillar — Unified Controls Assurance — which integrates testing of IT general controls, application controls, and business process controls in a single coordinated stream rather than as parallel workstreams. Every Dawgen Global audit involves IT audit specialists drawn from the firm’s integrated practice, working alongside the financial audit team from planning through to sign-off.

The firm’s CARISK™ risk taxonomy provides the framework within which cyber risk is mapped to financial statement assertions, ensuring that the audit’s cyber-relevant work is risk-driven rather than checklist-driven. Where an entity has experienced a cyber incident, Dawgen Global engages its forensic specialists alongside the audit team to evaluate financial statement implications, integrity of financial data, and adequacy of disclosure. Where the audit committee requires more than the audit provides — a SOC 2 examination, an ISO 27001 readiness review, a board-level cyber risk diagnostic — Dawgen Global delivers these through separate engagements, with clear scoping and clear deliverables.

The firm’s position is, in the end, a position of intellectual honesty. The external audit cannot — and should not — purport to be a cyber audit. But the external audit cannot ignore cyber risk either. The discipline lies in doing exactly what the standards require, doing it seriously, and being clear with the audit committee about where the audit ends and where additional engagements begin.

What’s Next in the Series

Article 6 takes up the auditor’s responsibilities relating to fraud and going concern — the two areas where the audit’s social licence is most directly tested. If this article addressed where cyber risk meets the financial statement audit, the next addresses where the audit must look hardest, ask most pointedly, and document most thoroughly. ISA 240 and ISA 570 (Revised) are the standards; Caribbean case patterns are the context; and the audit committee’s legitimate expectations are the through-line.

If you are an audit committee chair, CFO, CIO, or CISO and would like a confidential briefing on what your external auditor should be doing about cyber risk — or a diagnostic review of your IT general controls and cyber-relevant audit posture — the Dawgen Global Audit & Assurance team welcomes the conversation. Write to [email protected] or visit dawgen.global.

About the Author

Dr. Dawkins Brown is the Executive Chairman and Founder of Dawgen Global, an independent, integrated multidisciplinary professional services firm headquartered in New Kingston, Jamaica, with operations across more than fifteen Caribbean territories. He writes weekly on Caribbean governance, audit, and assurance matters through Caribbean Boardroom Perspectives and The Caribbean Advisory Brief.

The Caribbean Audit Imperative

A twelve-article series from Dawgen Global  |  dawgen.global

About Dawgen Global

“Embrace BIG FIRM capabilities without the big firm price at Dawgen Global, your committed partner in carving a pathway to continual progress in the vibrant Caribbean region. Our integrated, multidisciplinary approach is finely tuned to address the unique intricacies and lucrative prospects that the region has to offer. Offering a rich array of services, including audit, accounting, tax, IT, HR, risk management, and more, we facilitate smarter and more effective decisions that set the stage for unprecedented triumphs. Let’s collaborate and craft a future where every decision is a steppingstone to greater success. Reach out to explore a partnership that promises not just growth but a future beaming with opportunities and achievements.

✉️ Email: [email protected] 🌐 Visit: Dawgen Global Website 

📞 📱 WhatsApp Global Number : +1 555-795-9071

📞 Caribbean Office: +1876-6655926 / 876-9293670/876-9265210 📲 WhatsApp Global: +1 5557959071

📞 USA Office: 855-354-2447

Join hands with Dawgen Global. Together, let’s venture into a future brimming with opportunities and achievements

by Dr Dawkins Brown

Dr. Dawkins Brown is the Executive Chairman of Dawgen Global , an integrated multidisciplinary professional service firm . Dr. Brown earned his Doctor of Philosophy (Ph.D.) in the field of Accounting, Finance and Management from Rushmore University. He has over Twenty three (23) years experience in the field of Audit, Accounting, Taxation, Finance and management . Starting his public accounting career in the audit department of a “big four” firm (Ernst & Young), and gaining experience in local and international audits, Dr. Brown rose quickly through the senior ranks and held the position of Senior consultant prior to establishing Dawgen.

previous
Auditing in a Digitised Caribbean Economy: Why Modern Audits Must Test Populations, Not Just Samples

https://www.dawgen.global/wp-content/uploads/2023/07/Foo-WLogo.png

Dawgen Global is an integrated multidisciplinary professional service firm in the Caribbean Region. We are integrated as one Regional firm and provide several professional services including: audit,accounting ,tax,IT,Risk, HR,Performance, M&A,corporate recovery and other advisory services

Where to find us?
https://www.dawgen.global/wp-content/uploads/2019/04/img-footer-map.png
Dawgen Social links
Taking seamless key performance indicators offline to maximise the long tail.
https://www.dawgen.global/wp-content/uploads/2023/07/Foo-WLogo.png

Dawgen Global is an integrated multidisciplinary professional service firm in the Caribbean Region. We are integrated as one Regional firm and provide several professional services including: audit,accounting ,tax,IT,Risk, HR,Performance, M&A,corporate recovery and other advisory services

Where to find us?
https://www.dawgen.global/wp-content/uploads/2019/04/img-footer-map.png
Dawgen Social links
Taking seamless key performance indicators offline to maximise the long tail.

© 2023 Copyright Dawgen Global. All rights reserved.

© 2024 Copyright Dawgen Global. All rights reserved.