Skip to Content

​OnRisk 2020: Beware the IT Mystics

Blogs Jim Pelletier, CIA Oct 22, 2019

​Chief audit executives shouldn't rely too much on IT leaders' opinions of how well the organization is addressing cyber risk.

I am not surprised that cybersecurity emerged as the top risk in The IIA's new report,OnRisk 2020: A Guide to Understanding, Aligning, and Optimizing Risk, given our world's expanding dependence on technology. The report brings together the views of boards, management, and chief audit executives (CAEs) for the first time to provide a holistic view of risk from all perspectives.

Through in-depth interviews and surveys of board members, executive management, and CAEs, the growing sophistication and variety of cyberattacks was seen as the most relevant risk today by 86% of respondents. That percentage is expected to increase to 90% over the next few years.

What is surprising is the significant gap exposed in the report about an organization's capability to address cybersecurity risk. While all three groups agreed their self-assessed knowledge of the topic is quite low — around 30% — their perceptions of organizational capability to handle this risk is not aligned. Board and C-suite members assessed their organization's capability at 34% on average, while CAEs came in at 60%.

That means CAEs are nearly twice as confident as their governance partners that their organization is sufficiently prepared to manage cyber threats that could cause serious disruption and reputational harm.
I'm alarmed by this gap. Internal audit is not seeing through the veil of the IT mystics. This is not a shot at IT professionals. It is a recognition that IT professionals are too often on a different plane of understanding than anyone else in the organization when it comes to technology and, because others fear looking foolish, are often accepted at their word with inadequate expert challenge.

This appears to be the case among CAEs. With CAEs reporting very limited knowledge and awareness in the cyber arena, they are dependent on others to shape their perspective. To be more direct, I think CAEs may be relying too heavily on optimism expressed by IT leaders when it comes to assessing risks in the IT realm.

The daily headlines reveal a mind-boggling sophistication of cyber disruption, occurring at a pace that is difficult to keep up with. So, don't get me wrong, CAEs absolutely need to build trusting relationships with IT leadership to understand growing and emerging risks, as OnRisk 2020 recommends.

But it is more than that. CAEs must dedicate the necessary resources to perform technical and nontechnical reviews. They must cosource specialty-skilled resources when necessary and be sure to retain the expertise brought in by positioning internal audit staff to learn from these hired experts. They must demonstrate professional skepticism regarding the controls in place to mitigate cyber-related risks.

IT risks, particularly cyber risk, are not going away. Internal audit leaders cannot afford to remain passive in the IT space. If internal audit cannot meet the growing demand from boards for assurance in this space, someone else will.

Jim Pelletier, CIA

Jim Pelletier is Vice President, Portfolio Strategy, at The IIA in Lake Mary, FL.