It wasn’t a profit warning or a scandal over supplier practices that triggered the latest crisis at Marks & Spencer. It was a cyberattack, faceless, fast-moving, and all too familiar, that wiped more than £1 billion off the company’s market value and carved a million-pound hole in the chief executive’s bonus.

The headlines, of course, were predictable: shareholder shock, legal speculation, red-faced executives photographed outside gleaming shopfronts. But beyond the PR scramble and the predictable boardroom statements lies a question that ought to trouble auditors far more than it currently does: how do we account for chaos?Because what happened over Easter wasn’t merely an IT issue. It was an event with direct implications for the risk of material misstatement, internal control reliability, compliance with law, and stakeholder trust. All the tidy categories of the AAA syllabus, RoMM, ITGCs, ISA 250, KAMs, were, in that moment, no longer abstract academic boxes but bleeding edges of real corporate pain.

What Happened?

Over the long Easter weekend, Marks & Spencer found itself on the wrong end of a coordinated cyberattack, reportedly involving threat actors linked to Scattered Spider and DragonForce. Customer data, names, contact details, and order histories were believed to have been compromised. Online orders stalled. Internal systems seized up while Investors didn’t hang around. As news of the breach filtered out, the market responded in the only language it knows, by shaving nearly 14% off the company’s share price. That’s roughly £1.15 billion gone in a matter of hours, not because the tills stopped ringing, but because confidence did.

As for the man at the top, Stuart Machin, once hailed as the architect of a high-street revival, the fallout was personal. No victory laps this quarter. Instead, he’s taking a hit to the tune of over a million pounds, most of it in lost share options, with a decent chunk clawed back from last year’s bonus. It’s one of those moments when corporate accountability moves from PowerPoint slides to actual numbers. Whether it changes anything is another matter entirely.

Audit Theory

Let’s Start with the basics. Cyberattacks are a business risk. But more than that, they’re increasingly a financial reporting risk. System outages affect inventory cut-offs. Data loss impairs assets and legal fallout demands provisions per IAS 37. Even access to evidence, transaction logs, reconciliations, and audit trails can vanish with a keystroke. If you’re still thinking of RoMM in terms of dodgy spreadsheets or valuation models, you’re missing half the battlefield.

Then there’s internal control. Any half-decent ITGC audit will ask about multi-factor authentication, system segregation, and access controls. But how often do we, in practice, dig beyond the surface? How often do we test how controls are configured, not just if they exist? M&S, like so many firms, likely had policies. But policies don’t stop phishing links. People click and as a result, the whole systems break. And the audit file quietly notes “reliance placed on ITGCs”.

ISA 250 adds another layer. GDPR breaches aren’t just a PR headache, they’re a legal liability. Fines, lawsuits, class actions. Auditors have a duty to consider non-compliance.

The CEO’s bonus haircut indeed makes a really good headline, but let’s be slightly blunt here, it’s an act of noble sacrifice, it’s performance-linked, not a voluntary forfeit. Still, governance matters, and perceptions matter more indeed. When customers lose data and shareholders lose billions, the absence of visible accountability is louder than any press release. What’s ethically thornier is what gets disclosed. Who knew what, and when? Were systems vulnerable long before Easter? Did management delay public announcements to manage investor reaction? Auditors need to apply professional scepticism here, not just about numbers, but about narratives.

The IESBA Code talks of integrity and transparency, but in a cyber crisis, these are not just moral ideals. They’re testable, reportable audit matters. If an auditor nods along to a bland, catch-all disclosure, all the while aware that the situation runs far deeper, they’re not doing their job, they’re helping to paper over the cracks.

Practical Lessons for Auditors

So what should change?

For one, audit planning must take cyber seriously. Not as an IT annex or a specialist carve-out, but as a mainstream financial risk. That means involving IT experts, understanding system dependencies, and designing audit procedures that hold up even when systems crash.

For another, firms need to rethink reliance on management assurances. Cyberattacks are, by their nature, embarrassing. Disclosures will be minimal, cautious, and late. Scepticism is not optional.

And finally, we must revisit our reporting. If a breach has financial implications, it belongs in the auditor’s report. As a KAM or as an Emphasis of Matter. Because silence implies irrelevance, and nothing could be less true. It’s an audit issue, a governance and human issue too and as long as auditors treat it as an edge case, we will keep missing the centre of the storm.