The Public Sector Accounting Standards Board (PSASB) has announced the release of an exposure draft on the Cybersecurity Topical Requirement by the Global Institute of Internal Auditors. Topical Requirements are one of the three key elements of the International Professional Practices Framework® (IPPF), alongside the Global Internal Audit Standards™ and Global Guidance adopted by the Public Sector Accounting Standards Board (PSASB).
According to the PSASB Acting CEO, Georgina Muchai, the Cybersecurity Topical Requirement provides a comprehensive approach to assessing the design and implementation of cybersecurity governance, risk management, and control processes and is applicable to those who are specifically auditing this area.
The Cybersecurity Topical Requirement, Ms. Muchai said, further seeks to assist public sector entities in establishing policies and procedures related to cybercybersecurity governance, risk management, and control processes, in a bid to enhance cybersecurity practices and risk management processes, strengthen the control environment, internal audit functions, and effectively manage cybersecurity risks across their operations.
“The implementation of the Cybersecurity topical requirement will enhance the protection of public sector entities’ information assets from unauthorized access, disruption, alteration, or destruction and strengthen the overall control environment to reduce risk,” the CEO stated. She said cyberattacks can lead to direct and indirect impacts that are often significant, as computers, networks, programs, data, and sensitive information are critical components of public sector entities. “Since entities heavily rely on information technology resources, having clearly defined a cybersecurity plan, objectives, inherent risks, and effective controls should be a priority for management,” PSASB Acting CEO, Georgina Muchai said.
The CEO said the cybersecurity topical requirement consists of three sections, namely Cybersecurity Governance, Cybersecurity Risk Management, and Cybersecurity Control Processes. Each section contains a set of requirements that public sector entities are expected to adhere to. She said Kenya is facing a significant surge in cybersecurity attacks, with frequent strikes occurring daily on websites and ICT systems of public sector entities. Most of these attacks exploited system vulnerabilities, which may be attributed to the proliferation of Internet of Things (IoT) devices, which are inherently insecure, the latest Cybersecurity Report from the Communication Authority of Kenya indicates. Ms. Muchai said this alarming trend, heightened by the advent of artificial intelligence (AI), not only jeopardizes the online presence of public sector entities but also undermines the trust and integrity of Kenya’s digital economy.