Cyber risk and internal audit: An urgent call to action

Cyber risk and internal audit: An urgent call to action

Internal audit has a critical role in helping organizations in the ongoing battle of managing cyber threats, both by providing an independent assessment of existing and needed controls, and helping the audit committee and board understand and address the diverse risks of the digital world.

The threat from cyber attacks is significant and continuously evolving. Many audit committees and boards have set an expectation for internal audit to understand and assess the organization’s capabilities in managing the associated risks. Our experience shows that an effective first step for internal audit is to conduct a cyber risk assessment and distill the findings into a concise summary for the audit committee and board which will then drive a risk-based, multiyear cyber security internal audit plan.

Business units and the information technology (IT) function integrate cyber risk management into day-to-day decision making and operations and comprise an organization’s first line of defence. The second line includes information and technology risk management leaders who establish governance and oversight, monitor security operations and take action as needed.

Increasingly, many companies are recognizing the need for a third line of cyber defense–independent review of security measures and performance by the internal audit function. Internal audit should play an integral role in assessing and identifying opportunities to strengthen enterprise security. At the same time, internal audit has a duty to inform the audit committee and board of directors that the controls for which they are responsible are in place and functioning correctly, a growing concern across boardrooms as directors face potential legal and financial liabilities.

Cybersecurity assessment framework

Several factors are noteworthy as internal audit professionals consider and conduct a cybersecurity assessment:

1. Involve people with the necessary experience and skills. It is critical to involve audit professionals with the appropriate depth of technical skills and knowledge of the current risk environment. A tech-oriented audit professional versed in the cyber world can be an indispensable resource.
2. Evaluate the full cybersecurity framework, rather than cherry-pick items. This evaluation involves understanding the current state against framework characteristics, where the organization is going, and the minimum expected cybersecurity practices across the industry or business sector.

The initial assessment should inform further, more in-depth reviews. It is not intended to be an exhaustive analysis requiring extensive testing. Rather, the initial assessment should drive additional risk-based cybersecurity deep dive reviews.

Audit International are specialists in the recruitment of Internal Auditors and Corporate Governance Professionals across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 95.

1043 total views, 1 today