Internal audit and cyber risk

Deloitte has published good work. One of my favorites is their risk-intelligent white paper series.

Recently, they released Cybersecurity and the role of internal audit. It has both superior and inferior advice. Let me walk through it.

The threat from cyberattacks is significant and continuously evolving. One estimate suggests that cybercrime could cost businesses over $2 trillion by 2019, nearly four times the estimated 2015 expense. Many audit committees and boards have set an expectation for internal audit to understand and assess the organization’s capabilities in managing the associated risks.

This is good advice. Cyber is one of the most significant risks on the agenda of the board and audit committee.

Our experience shows that an effective first step for internal audit is to conduct a cyber risk assessment and distill the findings into a concise summary for the audit committee and board which will then drive a risk-based, multiyear cybersecurity internal audit plan.

This is wrong (IMHO) on so many levels!

1. Management and not internal audit should be performing the cyber risk assessment. The role of internal audit is to assess the adequacy (which includes the currency) of that risk assessment.
2. While the audit plan should be enterprise risk-based, a multiyear plan makes no sense. Who in these days believes that the cyber risks will be the same in 2016 and beyond as it has been in late 2015?
3. There should not be a separate ‘cybersecurity audit plan’. As most have pointed out, cyber is a business risk, and addressing the IT aspect in isolation from other business measures is less than optimal.

Business units and the information technology (IT) function integrate cyber risk management into day-to-day decision making and operations. This comprises an organization’s first line of defense. The second line includes information and technology risk management leaders who establish governance and oversight, monitor security operations, and take action as needed, often under the direction of the chief information security officer (CISO).

Deloitte does well to point out that the so-called 1^st line of defense (better referred to as ‘offense’ in my opinion) includes operational management from the business as well as IT. However, I cannot explain why it ignores the role of enterprise risk managers. Also, a growing source of risk is the extended enterprise – partners, consultants, and others who work with the company and provide access points to the organization’s crown jewels.

By the way, Deloitte does not refer to ‘crown jewels’ and the need to understand what they are. I don’t know why not.

Increasingly, many companies are recognizing the need for a third line of cyber defense—independent review of security measures and performance by the internal audit function. Internal audit should play an integral role in assessing and identifying opportunities to strengthen enterprise security. At the same time, internal audit has a duty to inform the audit committee and board of directors that the controls for which they are responsible are in place and functioning correctly, a growing concern across boardrooms as directors face potential legal and financial liabilities.

There are some good points here. A formal assessment and report to the board or audit committee should be provided, perhaps as part of the overall report by the CAE on the management of key risks. In addition, internal audit needs to have the skills necessary to perform the assessment and to suggest possible improvements – something Deloitte expands on later.

For internal audit to provide a comprehensive view of cyber security, and avoid providing a false sense of security by only performing targeted audits, a broad approach should be employed.

This is another good point: internal audit has traditionally looked at certain areas, but a more holistic assessment should be made of how well cyber risk is addressed.

The Deloitte framework looks OK and I welcome comments on it.

Deloitte references testing and assessments that might be performed as part of the organization’s SOX program. However, SOX scope is limited and the cyber management program, and internal audit’s related work, should address all significant cyber-related risks and not be limited to those that might affect the integrity of financial reporting.

I am not a fan of Deloitte’s risk assessment framework. I prefer something that is driven by the objectives of the enterprise (not mentioned by Deloitte) and how a cyber-related issue might affect them.

Overall, this is a very important topic. My experience, based on discussions with board members as I participated in NACD events where the focus was on cyber, is that many boards lack confidence in the ability of internal audit to provide the necessary value in this area. Deloitte says that “A tech-oriented audit professional versed in the cyber world can be an indispensable resource.” I agree totally and my practice always included a high percentage (20% – 25%) of technology specialists.

What do you think?

 

Join me for a discussion about effective risk management. Details of webinars and in-person events are at RiskReimagined.com.

You can also read World-Class Risk Management and/or World-Class Internal Audit.