Global Site
Argentina Aruba Barbados Bolivia Brazil Canada Cayman Islands Chile Colombia Costa Rica Curacao Ecuador El Salvador Guatemala Honduras Mexico Panama Paraguay Peru Puerto Rico Saint Martin Suriname United States Uruguay Venezuela
Australia Cambodia China Hawaii Hong Kong India Indonesia Japan Macau Malaysia Maldives Mongolia Myanmar Nepal New Zealand Pakistan Philippines Singapore South Korea Sri Lanka Taiwan Thailand Vietnam
Albania Andorra Armenia Austria Azerbaijan Belgium Bulgaria Croatia Cyprus Czech Republic Denmark Estonia Finland France Georgia Germany Greece Hungary Ireland Italy Kazakhstan Kosovo Latvia Lithuania Luxembourg Malta Moldova Netherlands Norway Poland Portugal Romania Serbia Slovakia Slovenia Spain Sweden Switzerland Tajikistan Turkey Ukraine United Kingdom Uzbekistan
Algeria Angola Bahrain Egypt Ghana Israel Jordan Kenya Kuwait Lebanon Liberia Mauritius Morocco Mozambique Nigeria Oman Qatar Saudi Arabia Senegal Sierra Leone South Africa Tanzania Togo Tunisia Uganda United Arab Emirates Yemen
home Insights
news_4

Cybersecurity and Financial Audits in Moldova: What Stakeholders Told Us

03/03/2026
news_4

In our previous article, we explained why Crowe Moldova is investigating how cybersecurity can be integrated into financial audits. We now share the key findings from ten interviews with CFOs/CIOs (banking and telecom), financial auditors, CISA-certified IT auditors, cybersecurity experts, and regulators—grouped into four stakeholder categories (clients, auditors, IT experts, regulators).

The message was consistent: cyber risk is already a financial and governance risk, but audit practices and organizational readiness have not fully caught up.

What we heard across stakeholders

1) Awareness is rising, but behaviour remains the weak point

Most participants agreed that people and day-to-day behaviour are the biggest vulnerability. Even when organizations run “cyber weeks,” trainings, and phishing simulations, employees still click, and awareness efforts often become “tick-box” exercises rather than measurable behaviour change. Several interviewees also noted that executive teams support cybersecurity in principle, but often lack practical understanding of how it links to strategy and risk decisions.

2) Threats are evolving faster than audit routines

Participants raised concerns about AI-enabled phishing, deepfakes, and advanced social engineering. They also highlighted that cyber risk looks different in banks versus startups or SMEs—yet audit approaches often apply the same control expectations regardless of business model, maturity, and risk profile. This creates friction and misses the point of risk-based auditing.

3) Governance is fragmented outside regulated sectors

Banking-sector respondents described stronger governance due to supervisory requirements, incident reporting, and formal roles. Outside finance, however, governance is often unclear: IT and cybersecurity responsibilities are blended, segregation of duties is weak, and policies may exist “on paper” but are not maintained or enforced. Many boards still treat cybersecurity as an IT issue rather than a strategic risk—until an incident happens.

4) Frameworks are known, but operational integration is uneven

Stakeholders referenced ISO 27001, GDPR, DORA, NIS2, and ISA 315, but repeatedly distinguished between formal compliance and real operational discipline. Some organizations pursue documentation and certification, yet daily processes do not match policy. Still, there were positive examples of non-financial entities embedding ISO 27001 into culture through annual recertification, training, and continuous improvement—showing it can be scalable when leadership commits.

5) Audits face real limitations when assessing cyber risk

Participants pointed to (a) capability gaps—needing auditors with stronger cyber literacy and closer collaboration with technical specialists—and (b) evidence constraints, as clients may refuse to share logs or incident reports due to confidentiality concerns and uncertainty about how auditors protect sensitive data. Many also criticized current practice for relying on ITGC checklists, with too little risk-based thinking and limited root-cause analysis.

The big takeaway: a resilience divide

A clear divide emerged between regulated sectors (especially banking) and SMEs/public institutions. Regulation drives governance discipline in banks, while other sectors often lack resources, roles, and structured guidance—creating wider ecosystem risk through supply-chain interdependence.

What this means for Crowe Moldova

Crowe Moldova sees cybersecurity integration as a quality upgrade to audit assurance, aligned with evolving stakeholder expectations. Our focus is to move beyond checklists toward a risk-based approach that links cyber threats to financial reporting, controls, governance, and operational resilience. 
   
Next articles will translate these findings into practical guidance: what evidence matters, how to structure cyber-related audit procedures, and what organizations can do now to improve readiness—regardless of sector.