The role of Internal Audit in cybersecurity

Audit committees and boards have also reacted to the evolving threat. They have set an expectation for the IA function to play a key role in ensuring the organisation is protected against cyberthreats. IA teams need to be increasingly vigilant and play a leading role in challenging cybersecurity practices. What should IA functions and leaders keep in mind, and how can they work with CIOs and CFOs to ensure their IT operations are secure? 

Key cybersecurity considerations for IA leaders   

Assess  cybersecurity risks against goals and strategy 

IA should consider the appropriateness of cybersecurity frameworks implemented, the appropriateness of cybersecurity risk management within their organisations, the appropriateness of the cybersecurity strategy, cybersecurity governance including the roles and responsibilities for  IT, security, business and third parties, the effectiveness of IT disaster recovery and business continuity planning programmes amongst others.

IA now more than ever has a vital role to play in assisting the organisation to understand and manage cybersecurity risks and threats. IA should play a key role in evaluating the comprehensiveness of cybersecurity risk assessments. This will provide an independent assessment of the existing and required controls within the organisation. Results of this assessment will assist the audit committee and board in understanding and addressing the diverse cybersecurity risks. A key outcome of this will be a comprehensive IA plan that addresses specific areas of cybersecurity risk for the organisation.

Conduct risk based cybersecurity assessments 

IA should focus on the adequacy of the risk assessments and on key risks identified, while also ensuring they have a sense of the threat landscape internally and externally. These key risks should be included in the annual audit plan for review.

Assess compliance with cybersecurity regulations

The regulatory environment continues to evolve and continues to mandate cybersecurity requirements that organisations need to adhere to. There is a greater focus on cybersecurity by regulatory bodies, organisations and mainstream media. This focus has been even more prevalent over the past year given the added complexity of the Covid-19 pandemic and the increase in a workforce largely working from home offices. 

Determine how operational changes should be assessed 

IA professionals should focus on familiarising themselves with changes to their organisations operating environment and how this may lead to  the increased cybersecurity risk. Less verbal communication is now a reality, increasing the amount of digital messages employees are exposed to, which may result in them being less vigilant for phishing emails, and other social engineering cyber-attacks. Employees will likely be required to work with unfamiliar technology (e.g. remote collaboration tools) under increased levels of stress and where opportunities to provide sufficient training may be limited. This could introduce new risks as technologies are used inappropriately, are misconfigured or are not used with the security measures that were envisioned when they were designed. 

Collaborate with other lines of defence

IA should effectively collaborate with first-line and second-line functions. In doing so, it can reduce the likelihood of blind spots or significant cybersecurity issues materialising.

Report and escalate the risks

IA should ensure that key risks resulting from cybersecurity assessments are reported as soon as they are known and should not wait for full execution of the audit as identified risk can be exploited by attackers.

Use relevant reference frameworks

IA should consider existing frameworks when executing assessments to ensure end to end coverage of cybersecurity domains. Consider whether the organisation has formally adopted an industry standard, framework or guidelines such as the National Institute of Standards and Technology cybersecurity framework (NIST CSF), International Organisation for Standardisation (ISO) 27001 and 27002 amongst others.

Report to the board and audit committee

IA has a crucial role to play in ensuring that the audit committee and board are fully informed through provision of valuable current and emerging cybersecurity insights. IA should ensure that the audit committee and board remains highly engaged with cybersecurity matters and are up to date on the ever-changing threat landscape.

What does IA require to act as an independent assessor?

Skills and knowledge

IA professionals are required to be able to conduct cybersecurity assessments. It is vital that IA professionals have the skills, expertise and knowledge of cybersecurity risks and how to manage them. Professionals with these skills are a very valuable resource, with the increased emphasis placed on the importance of cybersecurity. IA professionals also need a high degree of business acumen to facilitate better conversations with business leaders as well as a base knowledge of IT and cybersecurity risk.

A robust framework for assessment 

IA should develop a  cybersecurity assessment framework that will allow them to perform effective cybersecurity audits. This framework should be informed by the principals set out in international standards on cybersecurity such as NIST CSF and ISO 27001 and 27002. 

Adequate tools 

IA professionals should invest in tools where they are involved in large scale / complex cybersecurity assessments. A range of security audit tools are available to provide valuable information to IA teams on the organisation's cybersecurity compliance. Such tools allow visibility over adherence to security policies, potential vulnerabilities, suspicious account activity, privileged access abuses and incident identification amongst others.  

Key cybersecurity considerations for CIOs and CFOs

 In our CEO Survey, we discovered that: 

• Cyberthreats have moved to number two in the list of threats. 90% of CEOs in Ireland are concerned about cyberthreats and their impact on growth prospects, compared to 85% globally.

•  Irish CEOs are lagging behind their global counterparts, who are more serious about investment in key areas including  cybersecurity. Only 27% of Irish CEOs believe they will increase their cybersecurity investments in the years ahead. 

• There has been a huge increase in digitalisation in business necessitated by the pandemic and remote working. The infrastructure required to enable this transformation brings with it significant cybersecurity risks. 

In order to ensure the cybersecurity of their organisations, CIOs and CFOs need to:

• Invest in risk management 

Governance, management oversight and effective risks management are key findings arising from regulatory bodies and through our work with organisations across many industries. The implementation of effective and robust cybersecurity risk management practices needs to become an area of focus. Organisations should ensure that key cybersecurity risks that face the business are well understood and that they are supported by timely and effective mitigation plans.

•  Align cybersecurity investments to business strategy

The business goals of the organisation should be closely aligned with the IT and cybersecurity goals and a clear roadmap should be developed indicating key risk based cybersecurity initiatives and investments in the short, medium and long term. 

• Invest in talent

Organisations need to invest in the right level of talent or ensure they partner with reputable partners to address skills gaps if required. The CIO, CFO need to work closely with the CISO to identify those needs and put plans in place to successfully attract and retain talent in this area. 

The key actions to take now

For IA teams to play an effective role in cybersecurity, they should:

• Reassess cybersecurity risks and identify what aspects need to be included in the IA plan.

• Recognise the increased cybersecurity risk association with wider digitalisation, working from home and other changes in their organisation’s internal and external environments.

• Assess the cybersecurity threats presented by any technology recently acquired or developed in-house: technology acquisition cycles may have shortened during the pandemic, which could result in increased cyber risk.

• Focus on cyberthreats, data breaches and cybersecurity incidents that have occurred over the last 12 months. How has your organisation executed incident management protocols to deal with them? 

We are here to help you

Cybersecurity has evolved rapidly as a critical organisational risk. It impacts every single organisation. Because of the complexity of the risks or lack of skills, organisations may not be well equipped to assess the effectiveness of their cybersecurity. IA has a key role to play in assessing the effectiveness of an organisation's cybersecurity programme. They need to provide assurance and critical feedback to those charged with governance.  We are here to help IA functions successfully deliver on that mandate given the nature, scale and size of your organisation. Contact us today.