Companies have made significant strides in the past year incorporating cybersecurity risk into their internal audit plans, according to a new survey from global consulting firm Protiviti.
Nearly three out of four (73 percent) internal audit functions evaluate and audit cybersecurity risk as part of their annual audit plans, up from 53 percent in 2015, according to the 1,333 internal audit professionals who participated in the 2016 Internal Audit Capabilities and Needs Survey:Arriving at Internal Audit’s Tipping Point Amid Business Transformation.
“This undoubtedly reflects higher levels of interest and concerns among organizations about the cyberthreats they now encounter daily,” the report states. “In addition, many organizations likely are being influenced by their external auditors placing increased scrutiny on management’s cybersecurity program. This is being driven by the current cyberthreat environment, along with US Securities and Exchange Commission disclosure obligations issued in 2011 relating to cybersecurity risks and cyberincidents, which set the stage for the market developments we are witnessing today.”
Brand and reputation damage, data leaks (employee personal information), and data security (company information) are viewed as the most significant levels of security risk, according to the report. In terms of the value derived from addressing cybersecurity risks, companies view their ability to identify issues, risk, or control problems early to be most important, along with monitoring reputation risk and improving operational performance.
In addition, 57 percent of internal audit professionals said their companies have received inquiries from customers, clients, or insurance providers about how they tackle cybersecurity.
Priorities for CAEs and Internal Audit
Protiviti found that there are two critical success factors when establishing and maintaining an effective cybersecurity plan:
- A high level of engagement by the board of directors in information security risks.
- Including the evaluation of cybersecurity risk in the current audit plan.
Companies with at least one of these success factors in place have a better ability to combat cyberthreats, according to Protiviti. For example, 92 percent of organizations with a high level of board engagement in information security risks have a cybersecurity risk strategy in place, compared to 77 percent of other organizations. Similarly, 83 percent of companies that include cybersecurity risk in their annual audit plans have a cybersecurity risk policy versus 53 percent that do not.
“When it comes to cybersecurity and auditing processes, the highest-performing organizations have audit committees and boards who actively engage with the internal audit function during the discovery and assessment of these risks,” Brian Christensen, executive vice president of global audit for Protiviti, said in a written statement. “It’s still apparent, however, that further work is essential to build out these internal audit capabilities. Companies must take stronger action to set these imperatives into place.”
So, what steps should chief audit executives (CAEs) take to address cybersecurity? Protiviti provided the following 10:
- Work with management and the board of directors to develop a cybersecurity strategy and policy.
- Identify and act on opportunities to improve the organization’s ability to identify, assess, and mitigate cybersecurity risk to an acceptable level.
- Recognize that cybersecurity risk is not only external; assess and mitigate potential threats that could result from the actions of an employee or business partner.
- Leverage relationships with the audit committee and board to heighten awareness and knowledge on cyberthreats, and ensure the board remains highly engaged with cybersecurity matters and up-to-date on the changing nature of cybersecurity risk.
- Ensure cybersecurity risk is integrated formally into the audit plan.
- Develop and keep current an understanding of how emerging technologies and trends are affecting the company and its cybersecurity risk profile.
- Evaluate the organization’s cybersecurity program against the National Institute of Standards and Technology Cybersecurity Framework, recognizing that because the framework does not reach down to the control level, your cybersecurity program may require additional evaluations of ISO 27001 and 27002.
- Seek out opportunities to communicate to management that, with regard to cybersecurity, the strongest preventive capability requires a combination of human and technology security – a complementary blend of education, awareness, vigilance, and technology tools.
- Emphasize that cybersecurity monitoring and cyberincident response should be a top management priority; a clear escalation protocol can help make the case for – and sustain – this priority.
- Address any IT/audit staffing and resource shortages, as well as a lack of supporting technology/tools, either of which can impede efforts to manage cybersecurity risk effectively.
The following are five cybersecurity priorities for internal audit:
- Understand the company’s current strategic risks and anticipate what the top strategic risks will look like 12 months from now.
- Develop and strengthen collaborative relationships with stakeholders throughout the company to address a dynamic and comprehensive set of business risks proactively.
- Recognize the strategic impact of cybersecurity, collaborate with stakeholders throughout the company to evaluate and monitor its changing nature, and invest in the tools and expertise necessary to do so.
- Help ensure the company’s approach to managing cybersecurity and other increasingly important technology (e.g., mobile, analytics, Internet of things) is comprehensive and risk-based.
- Ensure fraud-detection and fraud-prevention activities remain sufficient given the technology, structural, strategic, and workforce changes occurring throughout the organization.
“With internal audit now at a tipping point, these top priorities are more important than ever before,” Christensen said. “If the internal audit function doesn’t keep up with the growth and innovation of companies, it will be left behind. The time to act is now.”