Home > Risk > Internal audit and cyber risk

Internal audit and cyber risk

December 15, 2015 Leave a comment Go to comments

Deloitte has published good work. One of my favorites is their risk-intelligent white paper series.

Recently, they released Cybersecurity and the role of internal audit. It has both superior and inferior advice. Let me walk through it.

The threat from cyberattacks is significant and continuously evolving. One estimate suggests that cybercrime could cost businesses over $2 trillion by 2019, nearly four times the estimated 2015 expense. Many audit committees and boards have set an expectation for internal audit to understand and assess the organization’s capabilities in managing the associated risks.

This is good advice. Cyber is one of the most significant risks on the agenda of the board and audit committee.

Our experience shows that an effective first step for internal audit is to conduct a cyber risk assessment and distill the findings into a concise summary for the audit committee and board which will then drive a risk-based, multiyear cybersecurity internal audit plan.

This is wrong (IMHO) on so many levels!

  1. Management and not internal audit should be performing the cyber risk assessment. The role of internal audit is to assess the adequacy (which includes the currency) of that risk assessment.
  2. While the audit plan should be enterprise risk-based, a multiyear plan makes no sense. Who in these days believes that the cyber risks will be the same in 2016 and beyond as it has been in late 2015?
  3. There should not be a separate ‘cybersecurity audit plan’. As most have pointed out, cyber is a business risk, and addressing the IT aspect in isolation from other business measures is less than optimal.

Business units and the information technology (IT) function integrate cyber risk management into day-to-day decision making and operations. This comprises an organization’s first line of defense. The second line includes information and technology risk management leaders who establish governance and oversight, monitor security operations, and take action as needed, often under the direction of the chief information security officer (CISO).

Deloitte does well to point out that the so-called 1st line of defense (better referred to as ‘offense’ in my opinion) includes operational management from the business as well as IT. However, I cannot explain why it ignores the role of enterprise risk managers. Also, a growing source of risk is the extended enterprise – partners, consultants, and others who work with the company and provide access points to the organization’s crown jewels.

By the way, Deloitte does not refer to ‘crown jewels’ and the need to understand what they are. I don’t know why not.

Increasingly, many companies are recognizing the need for a third line of cyber defense—independent review of security measures and performance by the internal audit function. Internal audit should play an integral role in assessing and identifying opportunities to strengthen enterprise security. At the same time, internal audit has a duty to inform the audit committee and board of directors that the controls for which they are responsible are in place and functioning correctly, a growing concern across boardrooms as directors face potential legal and financial liabilities.

There are some good points here. A formal assessment and report to the board or audit committee should be provided, perhaps as part of the overall report by the CAE on the management of key risks. In addition, internal audit needs to have the skills necessary to perform the assessment and to suggest possible improvements – something Deloitte expands on later.

For internal audit to provide a comprehensive view of cyber security, and avoid providing a false sense of security by only performing targeted audits, a broad approach should be employed.

This is another good point: internal audit has traditionally looked at certain areas, but a more holistic assessment should be made of how well cyber risk is addressed.

The Deloitte framework looks OK and I welcome comments on it.

Deloitte references testing and assessments that might be performed as part of the organization’s SOX program. However, SOX scope is limited and the cyber management program, and internal audit’s related work, should address all significant cyber-related risks and not be limited to those that might affect the integrity of financial reporting.

I am not a fan of Deloitte’s risk assessment framework. I prefer something that is driven by the objectives of the enterprise (not mentioned by Deloitte) and how a cyber-related issue might affect them.

Overall, this is a very important topic. My experience, based on discussions with board members as I participated in NACD events where the focus was on cyber, is that many boards lack confidence in the ability of internal audit to provide the necessary value in this area. Deloitte says that “A tech-oriented audit professional versed in the cyber world can be an indispensable resource.” I agree totally and my practice always included a high percentage (20% – 25%) of technology specialists.

What do you think?


Join me for a discussion about effective risk management. Details of webinars and in-person events are at RiskReimagined.com.

You can also read World-Class Risk Management and/or World-Class Internal Audit.

  1. Richard Fowler
    December 16, 2015 at 5:30 AM

    Another very good summary, Norman. Thank you for pointing out the pros and cons of the Deloitte white paper. You make one statement, where they note the 1st line of defense, in which you state that you don’t know why Deloitte failed to mention the role of risk managers in cybersecurity. I would suggest that it is because most risk managers are not actively assessing or mitigating cyber risk, and have formally or informally delegated those activities to the CIO and CISO. In that case, which I have seen in several organizations, there is no true 2nd line of defense for cyber. I would assume, if Deloitte has seen the same delegation across multiple organizations, that explains why Deloitte has not mentioned it. What types of organizations have you seen that have risk managers with the technology and security background to address cyber risk?

    • Norman Marks
      December 16, 2015 at 7:17 AM

      Good question, Richard. I have seen where the risk to objectives from a cyber-related issue (or any other technology-related issue) is incorporated in the enterprise risk program and included in reports to the top of the house. Certainly, reliance is placed on the technical staff who own and manage the risk. Key is that while the source may be cyber, the impact is typically on a business operation.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: