Tech: Cybersecurity Assurance

Recent research published in the International Journal of Accounting investigates internal audit’s ability to perform cybersecurity audits. In “Key Drivers of Cybersecurity Audit Effectiveness,” researchers surveyed 183 CAEs and IT auditors to compile an index measuring the effectiveness of cybersecurity assurance on a 100-point scale. 

The survey finds that half the organizations surveyed provided high (61 to 80) or very high (81 to 100) levels of assurance. The average score was 58. 

The research reveals that factors such as certifications, cross-functional cooperation, and board expertise can significantly impact the effectiveness of cybersecurity audits. The findings point to actions CAEs can take to ensure internal audit’s work helps protect the organization from cyber threats.

Certifications

The Key Drivers research shows that many internal audit functions lack the qualifications needed to provide high levels of cybersecurity assurance. According to the survey, 41% of respondents’ functions do not have auditors with professional cybersecurity certifications, and 41% of audit functions do not have IT auditors. In addition, 31% of respondents say they do not have experience working in cybersecurity. 

Global Internal Audit Standard 3.1 Competency requires the internal audit function to possess or obtain knowledge and skills needed to perform its responsibilities — either on staff or through outsourcing. CAEs should include IT and cybersecurity certifications as an indicator in the competencies/skills matrix they use to identify specific skills their department lacks. Moreover, audit leaders should establish training plans to help staff members develop IT and cybersecurity capabilities and gain relevant certifications.

Cross-functional Collaboration

The IIA’s Three Lines Model focuses on the importance of collaboration between the second and third lines in organizational assurance and risk management. Collaboration between the CAE and the chief information security officer (CISO) is particularly crucial for effective cybersecurity assurance. 

Research participants rate the CAE’s collaboration with the CISO as moderate, scoring 3.04 on a five-point scale. Forty-two percent say they cooperate with the first and second line in determining risks and dividing assurance activities, but they do not have an assurance plan. Only 8% say they intensively cooperate with the first and second lines. Conversely, 17% say they do not cooperate at all. 

Working closely with the CISO enhances internal audit’s understanding of the IT environment, emerging threats, controls, and risks. Conversely, cybersecurity specialists gain from internal auditors’ governance and compliance knowledge, as well as their understanding of how cyber threats are associated with critical operations and impact the business. To foster collaboration, CAEs can organize monthly or quarterly meetings between the internal audit team and the CISO, with the emphasis on new and emerging cyber risks and changes to the organization’s IT systems.

Internal audit also should coordinate with the security function on cybersecurity assurance. However, few respondents say their department is using an assurance map to coordinate cybersecurity assurance efforts, as mandated by Standard 9.5 Coordination and Reliance. Leveraging an assurance map would help ensure the most effective use of resources while maintaining internal auditors’ independence, avoiding duplicated assurance efforts, and addressing any gaps.

Tone at the Top

Lack of support from the board can undermine cybersecurity audits. Yet, many organizations do not see internal audit as an important contributor to improving cybersecurity compared to other roles such as the CISO. 

The research confirms that the board’s support of internal audit — measured by the time the board dedicates to cybersecurity topics, whether it provides clear requirements, and the resources it allocates to cyber risk audits — can directly influence cybersecurity assurance. Thirty-five percent of respondents say the board’s level of support for cybersecurity internal audits is poor or extremely poor. Another 33% say board support is good or excellent.

Additionally, the study finds that the board’s support is higher when its members are more technically competent and understand cybersecurity issues. Just 7% of respondents say the board’s clarity on cybersecurity assurance requirements is completely satisfactory, and 23% say it is satisfactory. On the other hand, 37% say the board’s clarity is unsatisfactory or completely unsatisfactory. 

CAEs can enhance the board’s understanding of cybersecurity through their audit reporting. Reports should help the board grasp the organization’s risk exposure, the importance of cyber risk mitigation, the potential impact on customers and stakeholders, how cyber risks affect the board’s accountability, and the value at risk, which is a financial measure of the organization’s level of risk. CAEs also should detail the effectiveness of measures in place to mitigate risks. 

Having a digitally competent board is the gold standard in cybersecurity governance. However, CAEs must be careful and politically savvy in approaching the board about its lack of cybersecurity or technology knowledge. One opportunity to raise the subject is through corporate governance audits, where CAEs can report audit findings in a way that warrants a reaction from board members. 

External Expertise

The Key Drivers research finds that most respondents’ internal audit functions rely on some form of outsourcing. Twenty percent of participants say they use outsourcing, and 65% use cosourcing to provide cybersecurity assurance. Some outsource cybersecurity audits entirely, if there is a complete lack of internal capabilities. Others cosource parts of cybersecurity audits if they lack personnel, need greater agility to react to emerging risks, or want to complement internal audit staff skills. 

CAEs should inform the board about how internal audit’s lack of cybersecurity resources and competencies could expose the organization to cyber risks. For such audit functions, cosourcing or outsourcing can be a quick win. 

However, agreements with service providers should include training that enables internal audit staff to learn new skills by participating in cybersecurity audits. Internal audit can spread outsourcing expenses over time by having a multiyear contract with the service provider that is based on a risk assessment and a step-by-step approach to cybersecurity assurance.

Strategies for Effective Assurance

Internal auditors should be mindful of cyber risks in every audit. To that end, every internal audit team should consider benchmarking against best-in-class audit functions and adopting strategies that have improved cybersecurity assurance at other organizations. In particular, approaches such as collaborating closely with the IT security function and outsourcing are resource-efficient. Following these strategies can enable internal audit to provide effective assurance that the organization’s governance, risk management, and control processes adequately address cybersecurity.