Internal Audit’s Critical Role in Cybersecurity


In an ideal world, cybersecurity plans are well-designed, routinely tested, and executed flawlessly. Everyone knows their role and follows the policies and practices designed to protect the organization from shadowy evil-doers lurking in the ether.

Boards and management are quick to recognize changes in risk and technology, and promptly act to modify plans, as needed. Cybersecurity efforts are supported and strengthened by a healthy organizational culture.

Of course, we don’t live in an ideal world.

Organizations must constantly monitor cybersecurity practices, policies, and plans. This is where internal audit plays a crucial role. Once cybersecurity plans are created, organizations should enlist internal audit to do what it does best – test for effectiveness and efficiency of controls and protocols, and provide the board and management with assurance about those protections.

There are four areas where internal audit focuses on cybersecurity:

1. Provide assurance over readiness and response. According to The IIA Audit Executive Center’s 2016 North American Pulse of Internal Audit report, just one in four respondents who reported having a business-continuity plan said it provided “clear, specific procedures for responding to a cyberattack.” What’s more, 17 percent reported their plans had no such procedures at all. This is the kind of data that should keep the C-suite and board up at night.

Internal audit can help organizations review and test cybersecurity, business-continuity, and disaster-recovery plans. The potential for reputational harm that poorly managed business disruptions create is significant, and it is far better to find faults through mock exercises than in a real-life scenario.

2. Communicate to the board and executive management the level of risk to the organization and efforts to address such risks. Understanding how much of a risk cyberattacks pose and what is being done to mitigate them is essential to managing the risk.

3. Work collaboratively with IT and other parties to build effective defenses and responses. Cyber risk is a business risk, not just an IT risk. Too often, it is magnified, modified, and mystified by being supported solely by IT systems. Building strong, collaborative relationships between internal audit and IT will help ensure mitigation efforts and responses are effective.

4. Ensure communication and coordination. This may be the most valuable benefit internal audit can offer. Because a well-resourced and effective internal audit function has a broad perspective about organizational risks, it is in an ideal position to promote communication and coordination about cyber risks across the organization.

Turf battles over who “owns” the cybersecurity risk are counterproductive and weaken the organization’s cybersecurity efforts. A unified effort where roles are clearly defined creates the best conditions for deterring cyberattacks, executing business-continuity plans when cyberbreaches occur, and building cyber-resilient organizations.

Despite its complexity and formidable challenge, effective cybersecurity is within the reach of most organizations. By using the “Four Rs” – resist, react, recover, and re-evaluate – organizations can build effective cyber-resilience plans.

Read more…

Source: Accounting Web