Articles Logan Wamsley Mar 18, 2026
As cyber risks intensify, internal audit plays a critical role in helping public sector leaders assess cybersecurity governance, clarify ownership, and improve oversight and decision‑making.
Like all industries, public sector organizations are besieged by cyberattacks. For governments, managing cyber risk has consequences that extend beyond operational disruption. Cyber incidents can impact public safety, essential services, and public trust, according to KPMG’s 2025 Cybersecurity Considerations report.
This reality requires governance structures that establish the processes, responsibilities, and oversight needed to address cyber risks. As defined by the U.S. Cybersecurity and Infrastructure Security Agency, cybersecurity governance should include:
By evaluating governance structures, internal audit can help public sector leaders and governing bodies understand the risks and ensure they receive timely and reliable information to address them.
As KPMG’s report notes, the cyber risk stakes are higher for public sector organizations. Despite such increased pressure, the public sector faces several cybersecurity governance challenges, according to KPMG.
Legacy systems. Public sector agencies often rely on outdated technology systems, which experts refer to as “technical debt.” While many of these systems have obsolete security controls, organizational reliance on the technologies makes it difficult to switch to new systems.
Fragmented oversight structures. Public sector organizations often distribute IT environments across departments, agencies, or jurisdictions. If not appropriately managed, this could lead to inconsistent policies, unclear accountability, and gaps in risk ownership.
Resource constraints and talent shortages. Many agencies lack the budget to recruit and retain highly sought-after cybersecurity professionals. This can leave governance structures understaffed or underdeveloped.
In this difficult environment, internal audit must evaluate whether governance structures are designed effectively and operating as intended. According to The IIA’s Cybersecurity Topical Requirement, auditors should assess whether:
Although cybersecurity governance is essential to any organization’s cyber risk strategy, internal audit may not understand how to assess those structures. Internal audit should begin by explaining to stakeholders what the audit will be evaluating, says Tshepo Mofokeng, CAE of Sefako Makgatho Health Sciences University in Johannesburg, South Africa and IIA Global Board director.
“You must make it clear to them that this is not so much an audit of technology but an audit of information — these are two different things,” Mofokeng explains. The auditor is simply ensuring that those who oversee cyber risk understand the governance processes. “That might reveal gaps, certainly, but the scope of this specific audit needs to be clear,” he adds.
Once the scope is established, the subsequent audit may consist of several elements.
Governance Design Assessments. Internal audit should evaluate whether the governance framework is well-designed, appropriately documented, and aligned with applicable best practices. Deloitte’s Global Internal Audit Hot Topics 2025 report notes, “Optimized frameworks can deliver cost reductions, support management of risks in line with appetite, and enable innovation and delivery of strategic goals.” This is particularly important, Deloitte continues, in cost-constrained environments, such as the public sector, and should include:
According to Deloitte, these frameworks are built around four core areas: aligning IT with strategy, managing IT risks, managing resources, and measuring value and performance.
Stakeholder Interviews and Walkthroughs. Interviewing the chief information officer (CIO), chief information security officer, risk officers, department heads, and other stakeholders can help auditors assess whether governance roles are understood and executed consistently. Public sector audits often find that actual practices do not match documented responsibilities, Mofokeng says.
“Cybersecurity is a data risk, but it’s not always a systems risk,” he explains. “The person who actually owns the risk is not always defined.” For example, some stakeholders may say the CIO owns the risk, while the CIO may point out that the risk belongs to the person who is directly responsible for how the databases are run. “The internal auditor needs to make these lines clear,” he notes.
Risk Management Evaluations. Risk management is a key component of a technology governance structure. “Assurance should focus on key aspects of their technology environment, such as strategy, resourcing and capability, risk management, operating model and organizational structure, value delivery, and performance monitoring,” the Deloitte report explains.
Performance Metrics and Reporting. In interacting with stakeholders, internal auditors should assess whether leadership receives timely, accurate, and actionable reports on cybersecurity, Mofokeng says. This can include dashboards, key performance indicators, incident reports, and compliance updates. Weak reporting structures often signal deeper governance issues, he notes.
Just because a risk is highly technical doesn’t mean that technology is solely responsible for overcoming it. The human funnel of information is a fundamental element of any cyber governance strategy, and internal audit needs to evaluate it regularly.