Online Exclusives Lynn Fountain, CGMA, CRMA, CPA Mar 06, 2019
Technology is progressing at such lightning speed that even IT specialists struggle to keep their fingers on the pulse of technological change. So how are internal auditors expected to adequately assess and examine the various risks emerging in this cyber age?
As technology continues to advance, internal auditing must evolve. For many years, internal audit departments relied on IT audit specialists as partners in integrated audits. Although those specialists focused on systems and technology, integrated audits worked best when operational and financial auditors knew what to look at from an IT perspective.
In today’s world, internal auditors cannot delegate responsibility to their IT departments or IT auditors. All auditors should have a solid understanding and awareness of more than just general and application controls. They should realize the technology risks and their potential impact.
One of the most prevalent issues organizations face today is the constant threat of cyberattacks. Every day there is some new threat, breach, or cybersecurity incident. It is now imperative that all internal auditors understand the underlying drivers as well as the nature and causes of cyber risks. With this knowledge, internal auditors can add significant value to the organization by assessing and helping management strengthen cybersecurity.
Yes, internal auditors know how to use a computer and a cell phone, but do they realize the risks these technologies pose? What you don’t know can hurt you! In today’s business environment, training on cybersecurity issues should be a basic curriculum expected of internal auditors. Training that is essential for internal auditors includes understanding:
Organizations need to understand and use a structured cyber risk framework to mitigate threats. Although there are several frameworks, some organizations may focus on a specific framework, depending on their industry.
One of the most widely used frameworks is the U.S. National Institute of Standards and Technology’s (NIST’s) Cybersecurity Framework. The framework directs organizations to use a standard protocol in their cybersecurity efforts to identify and protect assets, and respond to and recover from incidents.
The NIST framework recommends that organizations identify assets within the organization that are most susceptible to cyber threat. Next, it advises organizations to prioritize assets for protection, and develop and implement appropriate safeguards to ensure delivery of critical infrastructure services.
Identifying and protecting assets is similar to other risk assessment processes and is an area in which internal auditors can provide valuable insight to help protect their organizations. Auditors can help their organization by:
Detecting cyber threats is the third component the NIST framework recommends. Once assets have been identified and protected, the organization should develop and implement appropriate activities to take action when a cybersecurity event is detected.
As with The Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control–Integrated Framework monitoring component, performing detection procedures is management’s responsibility. However, internal auditors can test detection procedures to ensure they are designed appropriately.
Management should follow a well-devised protocol to develop, design, and implement detection procedures. Auditors can review and test that protocol and ensure detection procedures are addressing the most vulnerable assets. This act requires auditors to collaborate with management to fully understand the procedures used in the design phase and in identifying which assets are prioritized as higher risk.
This component of the NIST framework includes activities to undertake when the organization has detected a cybersecurity incident. The objective is to contain the incident’s impact on the organization.
Compare a cybersecurity incident to a fire. Both are “all hands on deck” events. If management has not structured a cyber risk program appropriately, there may be many reactive actions and ad-hoc approaches to plugging the gaps. Internal auditors can be important consultants in this situation.
Often when a breach occurs, management looks for the quick fix. This may not always be the best solution. The response must consider not just the tactical steps taken to fix the problem but all of the ancillary communication and documentation that is required. In this circumstance, internal auditors can provide an independent perspective and guide management on the best path to follow to respond to the incident. But to be helpful, auditors must understand the technology issues as well as the incident-response processes.
Recovering from a cybersecurity incident is comparable to recovering from an illness. When a person discovers he or she has a serious illness, all focus is placed on acting to respond to the illness. At that point, the mindset is survival rather than recovery.
As defined by NIST, the recovery phase occurs after the organization has responded to a breach. This phase includes identifying activities to maintain plans for resilience and to restore any services that were impaired due to a cybersecurity incident. The organization must be able to constructively review what occurred and extract appropriate lessons learned from the incident. Then the organization must incorporate those lessons into its current response protocol.
By assessing the lessons learned from an incident, internal audit can contribute to the ongoing viability of the organization’s cybersecurity incident plan. This assessment can assist the organization in evaluating gaps in how assets were identified and prioritized, how protection procedures were prioritized and executed, how detection procedures were implemented, and how response procedures were put into effect.
The NIST Cybersecurity Framework’s guidance is just a sample of important concepts to understand. As technology evolves, so do the duties of internal auditors. The profession needs to step out of its comfort zone and insert its expertise into addressing cyber risk.