Bolstered by technology expansion, a surge in data growth, evolving business models and motivated attackers, the threat from cyberattacks is significant and continuously evolving. One estimate suggests that cybercrime could cost businesses more than $2 trillion by 2019, nearly four times the estimated 2015 expense.* In response to the increasing threat, many audit committees and boards have set an expectation for internal audit to perform an independent and objective assessment of the organization’s capabilities of managing the associated risks. A first step in meeting this expectation is for internal audit to conduct a cyber risk assessment and distill the findings into a concise report for the audit committee and board, which can provide the basis for a risk-based, multiyear internal audit plan to help manage cyber risks.
“The forces driving business growth and efficiency are also opening pathways to cyber assaults,” says Michael Juergens, an Advisory managing principal at Deloitte & Touche LLP. “Internet, cloud, mobile and social technologies—now mainstream—are platforms inherently oriented for sharing. At the same time, outsourcing, contracting and remote workforces are shifting operational control,” he adds.
Many organizations are addressing cyberthreats with multiple lines of defense. For example, business units and the information technology (IT) function at many organizations integrate cyber risk management into day-to-day decision-making and operations, which comprises an organization’s first line of defense. Making up a second line of defense are information and technology risk management leaders who develop governance and oversight protocols, monitor security operations and take action as needed, often under the direction of the chief information security officer (CISO).
“Increasingly, many companies are recognizing the compelling need for a third line of cyber defense—independent review of security measures and performance by the internal audit function,” says Sandy Pundmann, an Advisory managing partner at Deloitte & Touche LLP. “Internal audit should play an integral role in assessing and identifying opportunities to strengthen enterprise security. Advising stakeholders on trends and leading practices in cyber and other areas is a growing expectation for internal audit leaders,” she adds.
At the same time, internal audit has a duty to inform the audit committee and board that the controls for which they are responsible are in place and functioning correctly—a growing concern across boardrooms as directors face potential legal and financial liabilities. Since many organizations have cyber readiness initiatives still in flight, some internal audit departments have elected to defer audit procedures until these projects are completed. While this may allow for a deeper level review, deferring cyber assurance procedures may not be the right answer.
Cyber Risk Assessment Framework
Many internal audit functions have developed and tested procedures for evaluating components of the organization’s preparedness for cyberthreats. These targeted audits, such as attack and penetration procedures, are valuable, but do not provide assurance across the spectrum of cyber risks. To provide a comprehensive view of an organization’s ability to be secure, vigilant and resilient in the face of cyber risks, internal audit should consider taking a broad programmatic approach to cyber assurance and not perform only targeted audits, which could provide a false sense of security.
In assessing cyber readiness, internal audit can benefit from understanding the capabilities across a number of domains, how they are addressed today and gaps that may exist within the organization. Several factors are noteworthy as internal audit professionals conduct a cyber readiness assessment:
—It is vital to involve people with the necessary experience and skills. Internal audit has the know-how to conduct assessments. However, understanding whether the IT department or the CISO is doing an effective job of threat modeling can require subject matter specialists who ask effective questions to help evaluate the strength of modeling exercises. A technology-oriented audit professional versed in the cyber world can be an indispensable resource.
—It is important to evaluate the full cyber readiness framework, rather than cherry pick items. This evaluation involves understanding multiple plan components, including the current state of readiness against framework characteristics, where the organization is moving with respect to improving its cyber preparedness plan, and the minimum expected practices across the industry or business sector.
—The initial assessment should be a broad evaluation. The first assessment is not intended to be an exhaustive analysis requiring extensive testing. Instead, it should drive additional risk-based, deep-dive reviews of the organization’s preparedness against cyberattack.
Maturity Analysis
Some organizations may prefer to use a maturity analysis approach, rather than a risk assessment strategy. “A maturity analysis can provide additional value to management and boards by providing a quick visual reference that provides clear cues about areas they may want to explore further,” says Mr. Juergens.
The five maturity stages—initial, managed, defined, predictable and optimized—reflect the progress the organization has made in maintaining security capabilities to help mitigate cyberthreats and achieve its desired maturity level. In a visual representation (click on “full” image link below), dotted lines indicate the level of maturity an organization is targeting, potentially identified in a remediation roadmap.
“In practice, the board would agree on the desired maturity level upon completion of the remediation work, at which point internal audit would test once again and come back to the board to confirm the targeted level has been achieved,” notes Ms. Pundmann.
In addition, a separate assessment scorecard would support the maturity evaluation, highlighting in detail the cyber risks surrounding people, process and technology. For the analysis to be effective, findings should be documented and recommendations made for closing identified gaps.
In some cases, a cyber risk assessment can also be structured to generate a list of gaps and provide the organization with a roadmap for short- and long-term remediation activities.
Building the Foundation for Ongoing Assessment
The cyber-risk assessment underpins both the maturity analysis provided to the audit committee and board, and the development of a risk-based, multiyear internal audit plan for cybersecurity. The multiyear plan can be developed through the results of the assessment, with some audits occurring at a higher frequency than others based upon urgency and consideration of other testing and assessment activities underway in the organization.
It is important to remember that the internal audit approach to cyber assurance is not set in stone. Adjustments can be made based on the emergence of new risks, changes in the relative intensity and importance of existing threats, and other organizational developments.
“Internal audit has a critical role in helping organizations in the ongoing battle of managing cyberthreats, both by providing an independent assessment of existing and needed controls, and by helping the audit committee and board address the diverse risks of a technology-driven world,” says Mr. Juergens.
We are experts in IT audits with rich experience in enterprise market. Please contact us for details.