Cybersecurity and the role of internal audit


Cybersecurity and the role of internal audit

An urgent call to action

Internal audit has a critical role in helping organizations in the ongoing battle of managing cyber threats, both by providing an independent assessment of existing and needed controls, and helping the audit committee and board understand and address the diverse risks of the digital world.

Cyber risk and internal audit

The threat from cyberattacks is significant and continuously evolving. Many audit committees and boards have set an expectation for internal audit to understand and assess the organization’s capabilities in managing the associated risks. Our experience shows that an effective first step for internal audit is to conduct a cyber risk assessment and distill the findings into a concise summary for the audit committee and board which will then drive a risk-based, multiyear cybersecurity internal audit plan.

Third line of defense

Business units and the information technology (IT) function integrate cyber risk management into day-to-day decision making and operations and comprise an organization’s first line of defense. The second line includes information and technology risk management leaders who establish governance and oversight, monitor security operations, and take action as needed.

Increasingly, many companies are recognizing the need for a third line of cyber defense–independent review of security measures and performance by the internal audit function. Internal audit should play an integral role in assessing and identifying opportunities to strengthen enterprise security. At the same time, internal audit has a duty to inform the audit committee and board of directors that the controls for which they are responsible are in place and functioning correctly, a growing concern across boardrooms as directors face potential legal and financial liabilities.

Cybersecurity assessment framework

Several factors are noteworthy as internal audit professionals consider and conduct a cybersecurity assessment:

  1. Involve people with the necessary experience and skills. It is critical to involve audit professionals with the appropriate depth of technical skills and knowledge of the current risk environment. A tech-oriented audit professional versed in the cyber world can be an indispensable resource.
  2. Evaluate the full cybersecurity framework, rather than cherry pick items. This evaluation involves understanding the current state against framework characteristics, where the organization is going, and the minimum expected cybersecurity practices across the industry or business sector.
  3. The initial assessment should inform further, more in-depth reviews. It is not intended to be an exhaustive analysis requiring extensive testing. Rather, the initial assessment should drive additional risk-based cybersecurity deep dive reviews.

Download the PDF for deeper insights into internal audit’s role in strengthening cybersecurity.

The why and how of cyber risk assessment and defense

Exploring an organization’s cyber risks begins with three key questions:

  1. Who might attack?
  2. What are they after, and what business risks need to be mitigated? 
  3. What tactics might they use? 

Did you find this useful?