Cybersecurity awareness top of mind for internal auditors
Menlo Park, CA-- Internal audit professionals are making strides in meeting cybersecurity and data privacy standards, says ‘ From Cybersecurity to Collaboration: Assessing the Top Priorities for Internal Audit Functions’, a report by Protiviti. Much work remains, with many of the surveyed organizations rating themselves as less than "very effective" at addressing their cybersecurity risks. However, the results are significantly better for organizations in which the board of directors has a high level of engagement with information security risks, and those that include cybersecurity in the annual audit plan.
"Across the globe, businesses are continuing to experience cybersecurity issues, challenges and breakdowns. Our survey shines a light on the evolving set of challenges faced by internal audit professionals as they work to incorporate cybersecurity frameworks into business processes," says Brian Christensen, executive vice-president, global internal audit and financial advisory, Protiviti. "Those professionals who continue to engage board members and define cybersecurity measures within their annual audit plans will be poised to effectively mitigate future threats."
More than 800 internal audit professionals, including chief audit executives (CAEs), participated in Protiviti's ninth annual survey to assess the top priorities for internal audit functions. Along with a review of cybersecurity management and processes, the survey assessed general technical knowledge, audit process knowledge, and personal skills and capabilities.
Protiviti's survey shows a clear, positive correlation between a high level of board engagement in information security (30 per cent of respondents) and an organization's ability to acceptably manage cybersecurity risk. There is a similar relationship between having defined cybersecurity measures in the annual audit plan and the successful management of cybersecurity risk. For example:
-
Nearly half of organizations with a high level of board engagement (47 per cent) rate themselves as "very effective" at identifying cybersecurity risk, compared to just 19 per cent of other organizations.
-
Seventy per cent of organizations that include cybersecurity in the audit plan have a cybersecurity risk strategy in place, compared to 42 per cent of other companies.
More than half of this year's respondents (53 per cent) note that cybersecurity evaluation has been included in their current audit planning. Of those organizations, 60 per cent have used the NIST Cybersecurity Framework to measure and evaluate existing programs.
Across respondents, many CIOs have also taken particular interest in collaboration with the audit committee, reporting on both cybersecurity and IT related risks (43 per cent).
According to survey participants, the top five most significant cybersecurity risks are:
-
Data security (company information)
-
Brand/reputational damage
-
Regulatory and compliance violations (tie)
-
Data leakage (tie)
-
Viruses and malware
In its report, Protiviti offers 10 recommended action items that CAEs and internal audit professionals should consider implementing as part of their ongoing efforts to help their organizations strengthen cybersecurity.
Technical knowledge – top five priorities
Internal audit professionals assessed their competency in 35 areas of technical knowledge, indicating whether their knowledge is adequate or requires improvement. Based on these findings, the top areas for technical knowledge improvement include:
-
Data Analysis Technologies ( GTAG 16 )
-
NIST Cybersecurity Framework
-
Mobile Applications
-
Continuous Assurance
-
The Guide to the Assessment of IT Risk ( GAIT )
Audit process knowledge – top five priorities
Respondents also evaluated 35 areas of audit process knowledge in terms of improvement. These top priorities include:
-
Auditing IT security
-
Computer-assisted audit tools (CAATs)
-
Data analysis tools for data manipulation
-
Marketing internal audit internally
-
Monitoring fraud
As in previous years, the results show that internal auditors are intent on improving the way they leverage technology to analyze data and create new efficiencies to free up resources. Results also indicate an increased desire to adhere to new guidance and standards in order to advance existing IT audit plans, and more effectively communicate the importance of these audit practices to key stakeholders.
Personal skills and capabilities
In addition to enhancing skills in new technology and applications, internal auditors remain committed to increasing collaboration with other departments and functions in the organization. CAEs and internal audit professionals seek to improve and leverage their personal skills such as persuasion, their relationships with board members, and their internal and external networks in order to balance multiple priorities and strengthen the function's strategic contributions to the organization.