Internal Audit’s Role in Cybersecurity

Over the course of just a few years, cybersecurity has grown into one of the most significant risk management challenges facing virtually every type of organization.
Download PDF
Internal Audit’s Role in Cybersecurity
October 16, 2022 | Written by Greg Michaels

Introduction

Over the course of just a few years, cybersecurity has grown into one of the most significant risk management challenges facing virtually every type of organization. Most organizations are still wrapping their heads around compliance and regulations their business now must tackle before they are deemed non-compliant and incur penalties. Alltoo many of these organizations are still trying to figure out where to start. Internal audit has a critical role in helping organizations in the ongoing battle of managing cyber threats by providing an independent assessment of existing and needed controls and helping the audit committee and board navigate the diverse risks of the digital world.

A decade ago, the internal audit function evolved and adapted to the increasingly important role that information technology (IT) was playing in all aspects of business operations. Today, Internal Audit (IA) faces the need to adapt once again to address the critical risks associated with cybersecurity.

The IA function has a key role in assessing cyber disruptions as part of strategic risks and identifying the operational control gaps on the business level, working with management at developing and maintaining an adaptive capacity to different types of risks building and improving business continuity.

The Challenging Cybersecurity Landscape

A cyberattack can be lethal to any organization, as it compromises sensitive data and, through it, the financial position, strategic vision, and more importantly, the trust and credibility that the company has built over the years. Given the magnitude of this risk, what role does the Internal Audit (IA) function of an organization play in minimizing the risk likelihood and impact?

Cybersecurity risk is growing and evolving globally, and so is IA’s role in mitigating it.

Executives and legislators know cybersecurity needs to be top of mind. According to a 2020 Cisco survey, 89% of executive leaders consider cybersecurity a high priority. Data breach costs rose from USD 3.86 million to USD 4.24 million, the highest average total cost in a 17-year history1. On March 2, 2022, the Senate approved new cybersecurity legislation, which still must pass in the House, requiring critical infrastructure owners and civilian federal agencies to report to the Cybersecurity and Infrastructure Security Agency within 72 hours if they experience a substantial cyberattack. It would also require critical infrastructure companies to report ransomware payments to the federal government within 24 hours. Additionally, on March 9. 2022, the SEC (Securities and Exchange Commission) proposed new legislation, regarding rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies. With major cyberbreaches appearing in news headlines more frequently, and the increased scrutiny by regulators, cybersecurity is on the IA’s radar more than ever. IA works to manage cyberthreats by providing independent assessments of existing risk and helping the audit committee and board understand and address that risk. Deloitte reports that many organizations recognize the need for a third line of cyber defense—an independent review of security measures and performance undertaken by IA. Cybersecurity is not the sole responsibility of the security or Information Technology (“IT”) teams—it impacts and involves all business areas. In a traditional siloed approach, each department treats risks independently. There is no common language or framework to examine cyber risk holistically. Focusing on risk removes these silos while making it possible for business process owners to prioritize and act on findings.

Before IA can help, CEO’s and ClO’s need to answer key questions: “Are we prepared for accelerated digitization in the next three to five years?” and, more specifically, “Are we looking far enough forward to understand how today’s technology investments will have cybersecurity implications in the future?”2

Often businesses are in a hurry to introduce new business processes, services, or products, and in doing so, they may overlook critical information security risks. This could lead to catastrophic consequences. IA can help prevent such incidents by proactively examining if all the required security precautions have been taken, and if loopholes have been closed before an important business launches.

Frameworks To Assist Management In Implementing And Evaluating A Cybersecurity Risk Management Program

  • National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. A 2013 Presidential Executive Order called for the creation of a voluntary, risk-based cybersecurity framework that would provide a set of industry standards and best practices for all organizations. The resulting NIST framework came together with collaboration between industry and government.
  • ISO/IEC 27001. Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), this group of standards is intended to be used as guidance for securing financial information, intellectual property, employee data, and other information entrusted to the organization by third parties.
  • SEC Cybersecurity Guidelines. The SEC has published cybersecurity guidance for registered investment companies and investment advisers, including steps to consider addressing cyber risk.
  • Trust Services Criteria (TSC). TSC, as developed by the AICPA’s Assurance Services Executive Committee, are designed for use in evaluating the suitability of the design and operating effectiveness of controls relevant to the security, availability, or processing integrity of information and systems, or the confidentiality or privacy of the information processed by the systems at an entity, a division, or an operating unit of an entity or a particular type of information processed by one or more of an entity’s system(s) or one or more systems used to support a particular function within the entity.

Strengthening Collaboration Between Ia And The It Function

A robust cybersecurity strategy adopts a three-pronged approach – preventive, detective, and corrective. IA’s role falls primarily in the first two categories — detecting cybersecurity lapses and control issues and preventing major cyber threats and risks through frequent audits and recommendations. These objectives must not be fulfilled in isolation, but in continuous collaboration with the IT function.

There are many benefits to building a good relationship between IA and IT. For one, IA provides an unbiased and independent review of information security frameworks and controls which, in turn, enables the IT team to design better controls, or address areas that they might have previously overlooked. IA’s support also provides a boost to the IT team’s efforts to get management’s buy-in on security policies and ensure that employees take their security compliance responsibilities seriously.

To that end, it is important that IA, together with the audit committee, meet with the ClO and CISO regularly to discuss important cybersecurity issues, and share insights on emerging threats and vulnerabilities, as well as cybersecurity regulations. It is also critical to have a tool that helps the teams communicate and coordinate audit activities efficiently.

IA And Cybersecurity

Effective risk management incorporates multiple layers of defense.

  1. Business and IT functions that support an organization’s daily operations.
  2. IT risk management function that creates governance standards and oversight within the organization.
  3. Incorporates an organization’s IA function by assessing the effectiveness of controls, making recommendations for improvement, reporting observations to the board, and documenting financial and regulatory compliance.

By using a common risk framework across departments and individuals in all three lines of defense, an auditor can truly evaluate the effectiveness of a cybersecurity program and get an accurate picture of where the organization stands. A risk-based approach also lets IA meet expectations set by the board and identify major tactical and strategic gaps in cybersecurity governance.

IA can assist in the defense through five critical elements that complement a successful cybersecurity strategy and response plan. The five critical elements are as follows:

  1. Protection
  2. Detection
  3. Business Continuity
  4. Crisis Management
  5. Continuous Improvement

IA supports protection and detection through testing and review of policies, processes, and procedures for compliance with both IT governance and industry best practices. IA also drives business continuity and crisis management through coordinating and communicating with all levels of an organization and planning for a variety of disasters, including cyber-attacks. Lastly, IA focuses on bringing value to the organization, taking the lessons learned from each department within an organization and enhancing those processes and procedures for continuous improvement.

IA is expected to be aware of and understand the data security threats that loom over organizations. IA teams must also help in the identification of vulnerabilities and be part of continuous efforts to confirm that risks are minimized. In many organizations, IA is tasked with not only highlighting information security and privacy risks but also conducting special audits to assess if there are adequate controls, policies, and procedures in place. More importantly, IA’s responsibility is to ascertain if these controls are being diligently and consistently followed.

One of the biggest challenges of cybersecurity is the continuously evolving nature of risks and threats. Cybersecurity auditors should review relevant compliance standards and requirements well before the audit commences. If an organization has a compliance function, it should share relevant information with the audit team. Sharing compliance information enables cybersecurity auditors to align audits with the pressing needs of the organization accordingly. Here too, IA plays a key role in keeping abreast of emerging threats through constant collaboration and networking with industry counterparts. The risk information gathered must be communicated regularly to the audit committee and board. In fact, IA should be able to provide regular and comprehensive reports of both existing and emerging cyber risks in the organization, as well as recommendations to mitigate them.

IA is also required to help ensure that cybersecurity regulations, including SEC disclosure mandates, are being met. In many cases, they are expected to independently review the effectiveness of the organization’s cyber risk mitigation programs.

Facilitating Risk-based Audits

Given that cybersecurity risks and controls are pervasive across the enterprise, the scope of an audit can often be vast and overwhelming. How then should IA know where to begin their assessments, especially when their resources are limited? This is where a risk-based approach to auditing can add value. It enables IA to prioritize their activities and resources based on the areas of highest risk in the organization.

Many Internal Auditors develop intelligence for risk-based auditing through risk assessments and scenario analysis tools. The resulting data helps them develop a systematic and risk-based audit plan with a well-defined objective and scope. Technology can help by not only streamlining risk assessments, but also delivering real-time visibility into risks and controls, and providing a centralized mechanism to document and manage risks – both existing and emerging.

Reasons For Conducting A Cybersecurity Audit

A cybersecurity auditor’s purpose is to verify whether an organization is operating according to various cybersecurity standards, regulations, and guidelines. A cybersecurity audit gauges an organization’s current reality in terms of compliance and benchmarks it against a specific industry standard. A gap analysis is then undertaken to ensure that all control gaps are identified and remediated at the earliest opportunity through targeted recommendations.

There are several reasons why an auditor should conduct regular cybersecurity audits, including:

  • Regularly monitor the organization’s IT infrastructures, systems, and controls to detect any potential risk or defects
  • Confirm the systems in place, meet minimum compliance requirements and mitigate expected risk
  • Evaluate the efficiency and effectiveness of cybersecurity operational systems and processes
  • Inspect information systems, security controls and management procedures are put in place with the aim of mitigating risk
  • Provide input on the crafting of contingency plans to counter emergency cyberattacks or other vulnerabilities
  • Validation that sufficient cyber security controls are in place to allow one the ability to purchase cyber security insurance

Cybersecurity Assessment Framework

Several noteworthy factors as IA professionals consider and conduct a cybersecurity assessment/ audit:

  1. Involve people with the necessary experience and skills. It is critical to involve audit professionals with the appropriate depth of technical skills and knowledge of the current risk environment. A tech-oriented audit professional versed in the cyber world can be an indispensable resource.
  2. Evaluate the full cybersecurity framework, rather than cherry pick items. This evaluation involves understanding the current state against framework characteristics, where the organization is going, and the minimum expected cybersecurity practices across the industry or business sector.
  3. The initial assessment should inform further, more in-depth reviews. It is not intended to be an exhaustive analysis requiring extensive testing. Rather, the initial assessment should drive additional risk-based cybersecurity deep dive reviews.

The Big Picture

Till a decade ago, it was unusual for IA to be involved in evaluating information security risks and controls. However, in today’s digital enterprises, information has emerged as a critical organizational asset that faces a growing number of security threats. The war against these threats cannot be waged by the IT function alone. IA is a pivotal ally, and must join forces with IT, in association with the board, management, and front-line units, to build a truly robust cybersecurity strategy that focuses on anticipating and mitigating risks and building organizational resilience.

DLA LLC’s IA, risk management, and compliance services are designed to enhance the efficiency and IT effectiveness of IA functions, risk management programs, regulatory compliance, governance, and sustainability initiatives. In conjunction with IA, we offer a range of cybersecurity services to ensure that a business’s security posture is in line with leading standards.

SOURCES
IBM, COST OF A DATA BREACH REPORT 2021 EXPLORES WAYS TO HELP MITIGATE RISK MCKINSEY & COMPANY, CYBERSECURITY TRENDS: LOOKING OVER THE HORIZON, MARCH 10, 2022

Explore More Articles:

Navigating the reboot of U.S. FCPA enforcement: The global anti-corruption compliance perspective
In February 2025, the U.S. Foreign Corrupt Practices Act (FCPA) landscape appeared uncertain following the Trump administration’s executive order to pause enforcement.
Read More
Estimating Fair Value Today
Effective cash flow management is the lifeblood of any construction firm. Here are eight advanced strategies to enhance your cash flow, ensuring your business remains
Read More
Coming Soon: 5 Accounting Rules that take Effect in 2023
It can be challenging to keep track of which accounting rules are changing, when the changes kick in and for which types of entities.
Read More
Seven Common M&A Due Diligence Pitfalls
M&As require thorough due diligence to minimize risks and maximize long-term value. Some business combinations fail to achieve expected results due to financial missteps.
Read More
Man vs. Machine: An Accountant’s Take on Best Practices in the Age of AI Part One: Bringing Back the Old School?
Man vs. Machine: An Accountant’s Take on Best Practices in the Age of AI Part One: Bringing Back the Old School? By Randall M. Paulikens,
Read More
US Accounting Rulemakers Move to Bring Clarity to Preferred Stock Dividends
U.S. accounting rulemakers voted to issue a proposal to standardize the measurement of paid-in-kind (PIK) dividends on preferred stock, aiming to bring clarity and consistency
Read More