Fortifying cyber defences

According to Liew, there is a growing demand in Asia Pacific for IT audits. ‘With the rise in cybersecurity threats and increasingly complex regulations, especially around data privacy, businesses are recognising that regular IT audits are essential,’ she says. Companies are not just looking to plug security holes but also to optimise operations and ensure compliance with an ever-evolving legal landscape.

Cyber surge

This need is echoed in Hong Kong, where Paul Cheng and Jonathan Wan, partners at Forvis Mazars Consulting, are witnessing a similar wave. ‘Cybersecurity has become a top strategic priority,’ Cheng says. ‘From the proliferation of fintech to the digitisation of core operations, the risks have evolved just as rapidly as the technologies themselves.’

In 2024 alone, the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) handled over 12,500 cybersecurity incidents – more than twice the number for the previous year. Phishing attacks led the pack, indicating that even basic digital hygiene is still a major pain point.

‘Cybercriminals are deploying increasingly sophisticated techniques,’ Wan warns. ‘It’s no longer a question of if you’ll be attacked, but when, and, therefore, how prepared you are to respond.’

Hong Kong passed its first cybersecurity law in March 2025, mandating stronger cybersecurity frameworks for key sectors. ‘Legislation has pushed cybersecurity from the IT department to the executive suite,’ Wan adds.

IT audits

At firms like CSC, IT audits start with defining scope – identifying which systems and operations are under the microscope. The process involves a thorough assessment using tools such as governance, risk and compliance (GRC) platforms, data analytics software and artificial intelligence (AI).

‘We use these tools to review documentation, conduct interviews, inspect systems and analyse patterns across vast datasets,’ Liew says. The end goal is to uncover vulnerabilities, evaluate compliance and suggest actionable improvements – everything from stronger access controls and encryption to process overhauls and new policies.

Importantly, clients aren’t just looking for problems, they want solutions. ‘They come to us for a clear picture of their security posture,’ Liew says. ‘But more than that, they expect guidance on how to align IT with their broader business objectives.’

Custom security

While IT audits offer a diagnostic view, firms take it further with tailored cybersecurity as a service. Forvis Mazars’ suite includes everything from penetration testing to employee training, compliance assessments and support for virtual asset trading platforms (VATPs) – a rapidly growing niche in Hong Kong.

‘We don’t believe in a one-size-fits-all model,’ Cheng emphasises. ‘Every business has unique risks, objectives and regulatory obligations. Our job is to deliver precision – cybersecurity strategies that actually make sense for each client.’

Forvis Mazars’ client roster includes companies navigating regulations such as Hong Kong Monetary Authority’s C-RAF 2.0, ISO 27001, and the Securities and Futures Commission’s VATP guidelines. Blockchain enterprises, in particular, are looking for help with decentralised systems and token-based infrastructure. ‘We’ve even seen legal innovations like serving High Court injunctions through blockchain technology,’ Wan adds, underlining how closely cybersecurity now intertwines with law and governance.

The integrated future

Cybersecurity is not a standalone silo. It weaves through compliance, finance, operations and strategy, which makes integration with services like auditing not just beneficial, but essential.

‘By integrating IT audits with other departments, we get a clearer picture of systemic risks,’ Liew says. ‘A security flaw might start in IT but impact finance, customer service and compliance downstream.’

Cheng adds: ‘At Forvis Mazars, we often conduct IT general control audits alongside financial audits. This dual approach validates the effectiveness of digital controls, ensuring the integrity and confidentiality of critical data.’

As organisations face growing pressure from stakeholders, regulators and customers to prove their resilience, this integrated model provides both assurance and a roadmap for improvement.

Smarter audits

Advanced technology is changing the way audits and cybersecurity assessments are conducted. ‘We’re preparing to integrate AI into our audit process,’ Liew says. ‘It will help us process complex datasets faster and with more predictive insights.’

The goal isn’t just faster audits, it’s smarter ones. AI can automate repetitive tasks, spot anomalies and even flag potential compliance risks in real-time. Meanwhile, cybersecurity firms continue investing in certification and technical expertise. At Forvis Mazars, qualifications such as CISSP, CISA, OSCP and blockchain-specific certifications like CCSSA are standard fare.

But beyond tools and certifications lies a commitment to partnership. ‘Our job doesn’t end with a report,’ Wan says. ‘We support implementation, policy development and continuous improvement. Cybersecurity isn’t static; it’s a living, breathing strategy.’

Strategic necessity

In today’s threat-laden digital landscape, cybersecurity is a strategic necessity rather than a technical fix. Whether through in-depth IT audits or bespoke security consulting, professional services firms in Asia are helping businesses face this challenge head-on.

Their role is no longer limited to identifying risks. They are becoming trusted advisers, helping clients not only to survive but to thrive in the digital age.

As Liew puts it: ‘An effective IT audit doesn’t just find problems, it empowers businesses to make better decisions and build stronger systems. That’s what resilience looks like.’

Source: various reports