Reports of corporate cybersecurity breaches in the news are becoming as routine as the weather report, and the global risk stemming from these threats has never been higher. In fact, there are growing and credible concerns that malicious hacking groups have begun a cyber war against companies.
In the midst of this hostile cybercrime climate, the IT audit function has become critical to ensuring technology systems and processes are controlled effectively, and that the people component does not prove to be an easily exploited weak link. To make certain that IT auditors are providing the best and most thorough services possible to their stakeholders, it is imperative that we assume a greater role in IT governance and enhance our ability to identify and address potential cybersecurity weaknesses along the entire technological continuum.
All too often, for example, an IT audit begins only after organizations implement new, or change existing, technologies and processes. Engagement after the fact only allows audit to identify “what should have been done” rather than “what should be done,” which would be the case if they were engaged early on in the process. High-functioning audit teams help organizations look ahead to identify dangers and opportunities that lie on the road ahead. Getting ahead of the threats, rather than constantly reacting to their consequences, is what it’s all about.
There is a growing recognition that IT auditors need to be involved in the investment, planning, design and implementation phases of new technology projects as well as other, non-technology projects that have the potential to impact an organization’s security risk profile. Additionally, IT auditors should be considering whether their approach to cybersecurity risk assessments (often an annual, point-in-time activity) is sufficient given the rapidly evolving technology and threat landscapes.
Boards of directors and executives are displaying interest in this more dynamic and attuned approach, according to results from A Global Look at IT Audit Best Practices, the sixth annual IT audit benchmarking survey conducted by ISACA and Protiviti. In past years, the survey identified cybersecurity as a high-ranking technology challenge, but this year it came in at number one. Not surprisingly, additional findings revealed that most IT audit leaders regularly attend audit committee meetings. Chief audit executives (CAEs) also are beefing up their knowledge of technology while taking a more active leadership role in the IT audit function.
Here are some questions for you to consider as you seek greater IT audit agility to manage cybersecurity:
- Does your current-state internal audit plan effectively consider cybersecurity risk? IT audit functions should ensure their cybersecurity risk assessments and supporting toolkits are designed and deployed to provide timely identification of key risks in an environment of rapidly evolving threats and technologies.
- Does your internal audit team have the right skills to effectively evaluate cybersecurity risk and related controls? Organizations should identify where their IT audit capabilities can be expanded to provide proactive insights about cybersecurity issues. Further, talent development and management programs should be tailored to ensure that CAEs and their staff have robust cybersecurity training and skill sets to identify emerging risks. Companies may also want to consider using outsourced cybersecurity competencies as needed.
- Do you utilize a framework to help identify and prioritize cybersecurity risk? Many organizations are using frameworks or tools such as COBIT 5, ISO 27001/2, NIST Cybersecurity Framework, and FFIEC Cybersecurity Assessment Tool to help assess cybersecurity risks and organizational preparedness.
- Does your leadership have a good understanding of the risks associated with cybersecurity? According to Protiviti’s 2017 Executive Perspectives on Top Risks survey, C-suite occupants are very much aware of cybersecurity threats to their organizations, elevating privacy/cybersecurity to the number one risk, up from 2016. But many also acknowledged that their companies are likely unprepared to manage cyber threats that could disrupt business and harm the brand. Leading organizations are striving to tie cybersecurity risk to to-be-avoided business outcomes so that cybersecurity risk can be more easily evaluated against and communicated in a business context and, ultimately, so that resources can be allocated to the areas that are truly of highest risk to the business.
From substantial cybersecurity, privacy and infrastructure management issues to the implementation of new technologies, IT auditors who work closely with management and boards will fulfill a vital role in protecting organizations against disruption and data loss. We’ve assembled the action item checklist below specifically for internal audit departments seeking to build that relationship and increase the agility of the IT audit function. How many can you check off?
- Work with management and the board to craft effective cybersecurity strategies and policies, and ensure that they are implemented.
- Seize opportunities to improve the organization’s ability to identify, assess and mitigate cybersecurity risks — both external and internal.
- Develop a view of cybersecurity risks focused on business services and outcomes rather than being viewed exclusively through a technology lens.
- Leverage the relationship with the board and the audit committee to increase awareness about cyber threats and make sure that the board is motivated to stay up-to-date on emerging risks.
- Formally introduce cybersecurity risk into the audit plan.
- Develop and maintain a current understanding of how emerging technologies and trends could affect the organization’s cybersecurity.
- Measure the company’s cybersecurity program against a standard industry framework.
- Take every chance to communicate to management that the strongest defense against cyber risks requires both human and technology controls.
- Emphasize the necessity to make cybersecurity monitoring and incident/breach response readiness a top management priority.
- Address shortages in IT audit staffing and any lack of appropriate tools, either of which can short-circuit efforts to manage cybersecurity risks.
In today’s environment, IT audit functions have a critical role to play in helping organizations guard against business disruptions and privacy breaches. They need to ensure that they have the infrastructure (capabilities, methodologies and tools) and early-on engagement in business initiatives to provide not only insight and oversight but also foresight, as it relates to cybersecurity risk.