More than 800 chief audit executives and audit professionals from around the world participated in Protiviti’s 2015 Internal Audit Capabilities and Needs Survey. Our subject-matter experts discussed the results in depth in a March 24th webinar, From Cybersecurity to Collaboration: Assessing the Top Priorities for Internal Audit Functions.
We received so many questions from webinar attendees that we were unable to address them all within the allotted time. A number of those questions centered on cybersecurity. Jordan Reed, a managing director in Protiviti’s Houston office, answers those questions here:
Q: Do you typically see cybersecurity risks discussed with audit committees, or would that be better situated at the board risk committee?
A: I see both, although more frequently at the board level. Some companies have risk committees that focus specifically on areas like technology and other emerging risks, and cybersecurity certainly fits within that scope. Others provide education, current events and hot topics for the full board, and cybersecurity almost always finds its way onto that agenda. If the board delegates its risk oversight responsibility to the audit committee, then that committee may oversee the management of cyber threats. To the extent cybersecurity has been included in an internal audit risk assessment or internal audit, the topic and results would obviously be discussed with the audit committee versus the entire board. Additionally, any security breach that required a public disclosure would certainly be discussed with the audit committee. So you can see, there is no one-size-fits-all approach.
Q: Can you provide more information about The IIA’s GAIT framework?
A: The best answer to this would come from The Institute of Internal Auditors’ website:
“The IIA’s General Assessment of IT Risk (GAIT) series describes the relationships among business risk, key controls within business processes, automated controls and other critical IT functionality, and key controls within IT general controls. Each practice guide in the series addresses a specific aspect of IT risk and control assessments.
The IIA classifies GAIT as recommended guidance under its international professional practices framework (IPPF). GAIT practice guides include:
- The GAIT methodology: A risk-based approach to assessing the scope of IT general controls as part of management’s assessment of internal control required by Section 404 of the Sarbanes-Oxley Act.
- GAIT for IT general control deficiency assessment: An approach for evaluating whether any ITGC deficiencies identified during Section 404 assessments represent material weaknesses or significant deficiencies.
- GAIT for business and IT risk: Guidance for helping identify the IT controls that are critical to achieving business goals and objectives.”
Q: Does increasing board engagement with cybersecurity require a more technically astute appointee, similar to members with finance backgrounds, so the severity of threats can be better understood?
A: We are seeing a lot of organizations starting to move in that direction. As you might expect, this has been especially true for organizations with a greater concentration of “crown jewels,” such as personally identifiable information — financial services, retail and healthcare companies, for example.
Q: Should cybersecurity be addressed within the organization’s audit charter?
A: Yes, it is already covered in most of the charters I see, in the “Responsibility” section of the Internal Audit Activity Charter. I typically do not see cybersecurity specified at that granular of a level, but it is covered within the overall responsibilities of the internal audit function.
Please see Protiviti’s 2015 Internal Audit Capabilities and Needs Survey Report for additional insights on cybersecurity and other topics.