How an Internal Audit function will battle cyber security issues for your company WHEN it happens in 2017?
How an Internal Audit function will battle cyber security issues for your company WHEN it happens in 2017?
It is no longer a question queried in a boardroom by senior management of multinationals companies. Could we be hacked? It is now an inevitable occasion of when will we be hacked and how can we combat this data breach? Given the possible exposure and risk to a company’s valuable assets and information there is a duty for the board of directors to be adequately prepared for this occasion. How can they prepare for this? One major tool available to them is an internal audit team. Internal auditing is indispensable for helping companies manage cybersecurity threats and preventative programs. Here are some suggestions on how best to prepare.
1- Ensure your audit function is adequately prepared with talent, resources and budget.
It may be the responsibility for your HR department to ensure that you have hired the “IT Audit Dream Team”. Do not hinder this by not approving budgets for hire. In the long term this will cost your company more in time and in finances. Using specialised external executive search firms such as Audit International ensure you find the right skill and industry-specific experience to best facilitate your company as this is often challenging, Therefore management should prepare their companies to prioritize developing, training, and adequately hiring resources to the internal audit team.
2- Keep communication open with your Internal Audit Team
There is vital importance of engagement between the internal audit team and the business it serves. In order to comprehend where the cyber risks are coming from, you have to appreciate how the business works. This would include assessing firewalls, networks and apps, but also understanding the company’s processes and how it interacts with customers and sellers. Cyber security risks are moving targets. Most of the exposure lies in a company’s human element. You should ensure your internal audit teams are given a clear and thorough understanding of business operations. The only way this can really happen to keep an on-going rotation of internal audit staff into the business into various functions and units. This serves multiple purposes; it ensures retention of valuable talent in the company as they are then satisfied with their own personal career progression. It is a well-known fact in the recruitment space this is one of the key drivers for auditors to leave their role which in turn ends up costing the company time and resources to replace, train and hire new audit talent. Secondly it gives your auditors a better well rounded view of the company and thus can add more value and stay in tune with the company.
3- Ensure coordination between functions- IT and Internal Audit
Another integral part of this issue is the level of coordination between the internal audit team and other key functions and this is critical to the success of tackling your cyber issues and risks. You must ensure that your internal audit teams should be given access to other members of the IT Audit team. This can include the chief information officer and chief information security officer, as well as human resources, supply procurement, and business leaders. Coordination can make or break any important undertaking — and cybersecurity is no exception.
4- Where to start and what questions to ask first?
Below is a suggestion of where your audit committee can begin and what issues need to be addressed first.
• Currently it is important to ask, what interaction and coordination does the internal audit team have with other corporate functions (e.g., information technology, information security, operations, supply chain, human resources, etc.) related to cybersecurity matters?
• What skill sets does your internal audit team have that are related to information security? Cybersecurity? How do team members keep their skills current? How do you retain team members? Do you need to hire further talent to support them?
• Does the company perform internal and/or external system penetration testing? Are the tests announced or unannounced? What role, if any, does the internal audit team play? Is there open communication between all your functions to facilitate this?
• What types of prevention, detection, and reaction/response testing does the internal audit team perform in the threat and vulnerability management life cycle? Again do you have sufficient in-house talent to tackle all these problems? Are you supporting your team enough to support this in terms of team resources and talent?
• What role, if any, does the internal audit team play during a breach? Regular meetings and coordination could play an integral part in highlighting how these functions can support each other if a breach occurs which may then lead to quicker resolution of the problem.
• What role, if any, does the internal audit team play after a breach has occurred?
• Who performs cyber-related investigations within the organization?- Do you outsource this responsibility and if so would it be worth hiring an in-house function to address these issues.
1532 total views, 1 today