Perspectives

Cyber risk and the role of the chief audit executive

CAE’s influence over internal audit and cybersecurity

Rapid advances in technology have bred a new generation of cyber criminals who are bent on disrupting operations. With stakes rising rapidly, chief audit executives (CAEs) have stepped up to contribute to internal audit (IA) and cybersecurity. Learn how CAEs can help their organizations stay ahead of current and future threats.

Reinventing the role of the chief audit executive

It is estimated that worldwide cybercrime costs will hit $10.5 trillion annually by 2025. Cyber criminals can steal data and assets any time and create a costly impact on corporate reputations and bottom lines. And with enforcement agencies unable to keep pace with attacks, organizations are increasingly forced to bolster their defenses. In recent years, boards and CEOs have begun turning to internal audit—as well as the CIO and CISO—to provide an objective point of view on cyber readiness, response, and risk mitigation.

Our report explores how the role of the chief audit executive is changing and how chief audit executives are reinventing themselves and their teams to focus on rising cyber risks—including threats from ransomware, phishing attacks, and data breaches. Insights in this report will show how they are seizing a once-in-a-generation opportunity to make a splash as front-line cybersecurity guardians and trusted advisers to senior leaders, audit committees, and boards of directors.

Cyber risk and the new age of the chief audit executive

Identifying and neutralizing cyberthreats

Leading CAEs are covering their “A’s” by providing insights about what stakeholders care the most about, and refocusing to assure on business resiliency, advise on cyber readiness, anticipate threats, and adapt through innovative audit techniques.

Assure Advise Anticipate Accelerate

Providing confidence in the company’s cyber capabilities

Board members and senior leaders want assurance about the safety and security of crown jewels and a better understanding of the degree to which cyber events might affect or disrupt the business. They are looking to CAEs to provide this assurance. One approach CAEs can take is to leverage recognized frameworks such as NIST or ISO to establish a baseline understanding of program maturity. For organizations with mature programs, they may opt for more intrusive, simulated breach attacks—red team operations—to test program effectiveness.

Collaborating with the business and IT around risk and strategic priorities

Many CAEs are on the front lines providing timely, credible advice to management on strategic priorities such as product launches, M&A, and other digital transformations that could affect the organization’s cyber risk posture. To pull this off successfully, CAEs need to bring in more talent, enhance the IA’s brand, and cultivate relationships.

Understanding digital transformation to deliver forward-looking cyber insights

Every organization’s pace of digital transformation is unique. One way in which CAEs are keeping abreast of the most significant risks is through recurring and dynamic risk assessments to identify top cyber risks based on strategic priorities. As all risks are not created equal (and all cannot be avoided), it’s crucial for IA to continuously align with others on which cyber audit engagements provide the most value. Apart from continuous risk assessments, the IA office can develop and begin implementing multi-year audit plans.

Making improvements from within

CAEs are embracing new technologies and analytical tools to detect threats and enhance organizational maturity. IA needs to rapidly evolve by embracing innovative techniques and analytics that establish baselines and potential anomalous behavior before incidents occur. Since approximately 95% of cybersecurity breaches are caused by human error, it is paramount that CAEs help the business combat this risk through training, awareness, and technology.

Growing stronger against risks, every day

Many CEOs have long viewed CAEs as Monday-morning quarterbacks, weighing in only after the action. But in a time of pervasive cyber threats, CAEs are filling a vital role that often exceeds their traditional job descriptions. To rise to the occasion, they are upping their game by educating themselves and building stronger teams more prepared to address cybersecurity issues. Explore more in our report and learn how CAEs are providing the right perspectives and expanding their roles with real-life examples.

Get in touch

Sarah Fedele

Principal | Deloitte Risk & Financial Advisory

sarahfedele@deloitte.com

+1 713 982 3210

Sarah leads the US Internal Audit (IA) practice within Deloitte Risk & Financial Advisory and is a member of Deloitte’s Global Internal Audit executive team. In these roles, Sarah and her teams are hy... More

Peter Low

Managing Director | Deloitte & Touche LLP

plow@deloitte.com

+1 312 259 4209

Peter is a Managing Director within Deloitte Risk & Financial Advisory’s Accounting & Internal Controls practice. Pete has 24 years of experience providing internal audit (IA), IT and business process... More

Viewing offline content