A Cyber Wake-up Call

How Internal Audit Can Help

At first glance, cyber governance might seem like a strategic issue where internal audit teams can provide only limited help. That’s not so; internal audit can help the board in several important ways to assure that cybersecurity gets the oversight it needs.

Audit IT risk. This audit should not simply be an audit of firewalls or other traditional security measures. Rather, examine the organization’s processes for vetting cloud-service providers, performing data backup procedures, configuring hardware, and so forth. Cast a wide net to understand the risks that exist in how technology is used.

Review management’s oversight of IT and cybersecurity. Does the company allow a decentralized approach to sourcing IT equipment and vendors? Does a single, competent executive fulfill CISO duties? If not, dissect the operational risks that could arise (say, haphazard response to a data breach) and whether roles should be restructured.

Audit business continuity and disaster recovery. Although these issues are not directly related to cybersecurity, they are critical to how the organization makes sure that it can keep operating even during IT malfunctions —- which are often caused by cybersecurity attacks.

Consider the board’s own expertise. The SEC proposals include disclosure of any cybersecurity expertise among the organization’s board members. Assess whether the board has sufficient expertise for the cyber governance challenges it faces.

IIA Resources

Seminar: Fundamentals of Cybersecurity Auditing
Seminar: Examining Cybersecurity Concepts
Guidance: GTAG: Auditing Cybersecurity Operations
Webcast: Exploring the New Auditing Cybersecurity Options GTAG