Cybersecurity has arguably emerged as the single biggest concern for enterprises today, as even the best fortified businesses fall prey to sophisticated data security attacks and threats. A survey of more than 1,500 business and technology executives across 12 countries by CompTIA, the non-profit association for the global IT industry, found that nearly threequarters of the surveyed organizations faced at least one security breach or incident in 2015, with about 6 in 10 breaches classified as serious.
A cyberattack can be lethal to any organization, as it compromises sensitive data and, through it, the financial position, strategic vision, and more importantly, the trust and credibility that the company has built over the years. Given the magnitude of this risk, what role does the internal audit function of an organization play in minimizing the risk likelihood and impact?
Many organizations view cybersecurity as an exclusive IT concern. It is left to the IT function to identify, manage, and mitigate cyber risks. However, in today’s fast-evolving threat landscape where security attacks can compromise systems in a matter of minutes, it is absolutely essential for all three lines of defense to come together and ensure a coordinated approach to cybersecurity risk management. As the third line of defense, internal audit has a particularly important role to play in reviewing security measures and controls, uncovering areas of concern before they spiral into larger issues, and identifying opportunities to strengthen organizational security.
Internal audit is expected to be aware of and understand the data security threats that loom large over organizations. Internal audit teams must also help in the identification of vulnerabilities, and be part of continuous efforts to confirm that risks are minimized. In many organizations, internal audit is tasked with not only highlighting information security and privacy risks but also conducting special audits to assess if there are adequate controls, policies, and procedures in place. More importantly, internal audit’s responsibility is to ascertain if these controls are being diligently and consistently followed by the respective teams.
Often enterprises are in a hurry to introduce new business processes, services, or products, and in doing so, they may overlook critical information security risks. This could lead to catastrophic consequences. Internal audit can help prevent such incidents by proactively examining if all the required security precautions have been taken, and if loopholes have been plugged before an important business launch.
One of the biggest challenges of cybersecurity is the continuously evolving nature of risks and threats. Here too, internal audit plays a key role in keeping abreast of emerging threats through constant collaboration and networking with industry counterparts. The risk information gathered must be communicated regularly to the audit committee and board. In fact, internal audit should be able to provide regular and comprehensive reports of both existing and emerging cyber risks in the organization, as well as recommendations to mitigate them.
Internal audit is also required to help ensure that cybersecurity regulations, including SEC disclosure mandates, are being met. In many cases, they are expected to independently review the effectiveness of the organization’s cyber risk mitigation programs.
A robust cybersecurity strategy adopts a three-pronged approach – preventive, detective, and corrective. Internal audit’s role falls primarily in the first two categories – detecting cybersecurity lapses and control issues, and preventing major cyber threats and risks through frequent audits and recommendations. These objectives must be fulfilled not in isolation, but in continuous collaboration with the IT function.
There are many benefits to building a good relationship between internal audit and IT. For one, internal audit provides an unbiased and independent review of information security frameworks and controls which, in turn, enables the IT team to design better controls, or address areas that they might have previously overlooked. Internal audit’s support also provides a boost to the IT team’s efforts to get management’s buy-in on security policies, and ensure that employees take their security compliance responsibilities seriously.
To that end, it is important that internal audit, together with the audit committee, meets with the CIO and CISO regularly to discuss important cybersecurity issues, and share insights on emerging threats and vulnerabilities, as well as cybersecurity regulations. It is also critical to have a tool that helps the teams communicate and coordinate audit activities efficiently.
One of the most essential requirements of a cybersecurity program is to ensure that risks, threats, and controls are communicated and reported in a consistent manner. That, in turn, requires internal audit to help the organization create a common risk language. Many internal audit teams have adopted standardized libraries of risks and controls, enabled by technology, which make it simple to aggregate, communicate, and analyze cybersecurity information.
Another key best practice is to have a centralized data repository where internal audit and IT teams can easily maintain, access, and share crucial data. They can also map security risks to auditable entities, IT assets, controls, regulations, and other key factors. This tightly integrated data model allows internal audit to determine, at a glance, how a cybersecurity risk or ineffective control could impact the enterprise. Accordingly, they can provide recommendations proactively to resolve the issue.
Given that cybersecurity risks and controls are pervasive across the enterprise, the scope of an audit can often be vast and overwhelming. How then should internal audit know where to begin their assessments, especially when their resources are limited? This is where a risk-based approach to auditing can add value. It enables internal audit to prioritize their activities and resources based on the areas of highest risk in the organization.
Many internal auditors develop intelligence for risk-based auditing through risk assessments and scenario analysis tools. The resulting data helps them develop a systematic and risk-based audit plan with a well-defined objective and scope. Technology can help by not only streamlining risk assessments, but also delivering real-time visibility into risks and controls, and providing a centralized mechanism to document and manage risks - both existing and emerging.
Till a decade ago, it was unusual for internal audit to be involved in evaluating information security risks and controls. However, in today’s digital enterprises, information has emerged as a critical organizational asset that faces a growing number of security threats from all quarters. The war against these threats cannot be waged by the IT function alone. Internal audit is a pivotal ally, and must join forces with IT, in association with the board, management, and front line units, to build a truly robust cybersecurity strategy that focuses on anticipating and mitigating risks, and building organizational resilience.