Home > Risk > Authoritative guidance on audits of cybersecurity

Authoritative guidance on audits of cybersecurity

Last year, The IIA released Assessing Cybersecurity risk: The three lines model (Download at https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG-Assessing-Cybersecurity-The-Three-Lines-Model.aspx). It is considered Supplemental Guidance (one of their Global Technology Audit Guides, GTAG) rather than mandatory

The GTAG has some good ideas and is useful reading for those charged with an audit of cybersecurity.

However, it is not without its flaws.

I will provide some excerpts here with my comments.

  • Internal auditors need an updated approach for providing assurance over cybersecurity risks. Although IT general control evaluations are useful, they are insufficient for providing cybersecurity assurance because they are neither timely nor complete.

Comment 1: While providing assurance over cybersecurity risks is an interesting concept, it is far better to provide assurance on the management of business risks and opportunities. You cannot understand and assess cybersecurity risks without first understanding how a failure to provide effective cybersecurity would affect the business. Managing cyber in a silo is not good management of the business.

Comment 2: IT general controls include information security and cyber is simply (IMHO) a new buzzword for infosec.

Comment 3: One of the challenges is that the level of threat changes all the time. That makes it more challenging to express an opinion on cyber-related risks, because an opinion might be right today and wrong tomorrow.


  • In response to such emerging risks, CAEs are challenged to ensure management has implemented both preventive and detective controls. CAEs must also create a clear internal audit approach to assess cybersecurity risk and management’s response capabilities, with a focus on shortening response time. The CAE should leverage the expertise of those in the first and second line roles to remain current on cybersecurity risk.

Comment: It is important to remember that there may be compensating or mitigating controls within the business. For example, on Canadian agency I worked with managed funds for other agencies in the province. It rarely traded, so the loss of availability of their systems was mitigated to a large extent by the fact that each executive had spreadsheets showing their positions.


  • Management in first line roles owns and manages data, processes, risks, and controls. For cybersecurity, this function often resides with system administrators and others charged with safeguarding the assets of the organization.

The second line comprises risk, control, and compliance oversight functions responsible for ensuring that first line processes and controls exist and are effectively operating. These functions may include groups responsible for ensuring effective risk management and for monitoring risks and threats in the cybersecurity space.

As a third line role, the internal audit activity provides senior management and the board with independent and objective assurance on governance, risk management, and controls. This includes assessing the overall effectiveness of the activities performed by the first and second lines in managing and mitigating cybersecurity risks and threats.

Comment: We need to be careful not to assign responsibilities to functions in the second line for ensuring anything. They help the first line, who own and are accountable for understanding, assessing, and evaluating sources of risk.


  • As part of evaluating the effectiveness of the risk management process required in IIA Standard 2120 – Risk Management, the role of the internal audit activity is to independently assess cybersecurity risks and controls to ensure alignment with the organization’s risk appetite.

Comment 1: Incorrect. Internal audit should assess whether management is understanding, assessing, and addressing risks; it is not internal audit’s responsibility to assess the risks themselves.

Comment 2: It is correct, however, that internal audit should independently assess the design and operation of related internal controls – which include the combination of controls in the business as well as in IT and other functions.

Comment 3: Risk appetite is a debatable concept, and it is hard to see how it relates to cybersecurity risks. It should apply to the business operation, if at all.


  • This involves reviewing the adequacy of work done by the second line roles related to frameworks, standards, risk assessments, and governance.

Comment: Internal audit should assess the work of the second line in terms of whether they meet the needs of the organization. A compliance audit (for example with standards or frameworks) is of far less value.


The GTAG shares 10 questions that internal auditors should consider asking during their audit. While they merit consideration, they are based on auditing cyber as if it existed in a silo, separate from the operation of the business.


I believe any audit of cybersecurity (or information security, if you see a difference) should be based around these principles:

  • Any organization’s approach to cybersecurity should be risk-based, and by that I mean designed to reduce the overall risk to enterprise objectives to acceptable levels, given the cost and other factors.
  • It is impossible to reduce the risk to zero, so business judgment should be applied in allocating resources.
  • Every dollar spent on cybersecurity is a dollar that is not spent addressing other sources of opportunity and risk.
  • Internal audit’s goal should be to assess whether management has reasonable processes in place to assess cyber as an element of business risk, determine appropriate prevention and response measures, and then design, implement, and maintain reasonable cybersecurity.
  • Internal auditors need not only to have an acceptable understanding of cybersecurity principles, but also how risk management can help an organization make the informed and intelligent decisions necessary for success[1].
  • The threat landscape is changing all the time, so a point-in-time detailed assessment of cybersecurity measures is of less value than assessing whether they have reasonable ongoing processes. However, periodic assessments of those areas that are considered most vulnerable often has value to confirm management’s approach and ability.
  • Excessive caution around cybersecurity can be harmful. However, a failure of the whole organization to recognize the risks and use reasonable caution in their work is itself a source of risk.
  • Internal audit should be wary of penalizing good faith efforts to build an effective cybersecurity program. Progress and other positive aspects should be highlighted, while explaining where improvements should be made.


Here are some different questions to consider:

  1. Does management have an acceptable program for anticipating what might happen (a.k.a. risks and opportunities) and factoring that into objective and strategy-setting, as well as in strategic and tactical decision-making? (This question is for the extended enterprise-wide, not just cyber.)
  2. Does management understand what the likelihood of achieving enterprise objectives is, given all the things that might happen?
  3. Does that program include the consideration of how a failure to protect information and the related systems and infrastructure might affect the achievement of enterprise objectives?
  4. When assessing how a cyber breach could affect the business, is there an effective partnership between operating management and the technical staff? In other words, do both actively participate and is it a shared assessment?
  5. Are all the risks and opportunities, including those that are technology-related, assessed and evaluated in a way that enables them to be compared, aggregated, and addressed in a way that optimizes the likelihood of enterprise success? Is all of this done in a way that enables the appropriate allocation of capital and other scarce resources?
  6. When it comes to cybersecurity, and changes in associated risks and opportunities, is there a constructive discussion about actions and budget with management – in business language? Do all parties understand each other and the situation?
  7. Does the information relating to cyber that is provided to management and the board understood by them within the context of running the business? Is it actionable, providing the information they need for management decisions?
  8. Is the budget for cyber defense and response allocated based on an appropriate understanding of what is needed to help the business achieve its objectives?
  9. Does management have a list of areas where improvement is needed? Is there a plan to address them on a timely basis?
  10. Are sufficient resources in place or at least budgeted to make all necessary upgrades?
  11. Is there effective monitoring of potential and actual breaches so that their effect can be minimized, including their duration?
  12. Is the organization adequately prepared, with communication and recovery plans as necessary, for a breach?
  13. Are there appropriate procedures in place to notify external parties, such as customers and partners? Is there reasonable assurance that any necessary filings are made with the regulators to disclose breaches?
  14. Do both management and the Infosec leaders believe there is an appropriate level of prevention, mitigation, and response when it comes to cyber? If not, why not?
  15. If management believes there is a reasonable level of cybersecurity, why?
  16. Have appropriate insurance policies been put in place?
  17. Are those charged with managing cybersecurity technically competent, and do they have a solid understanding of the business?
  18. Do those charged with cybersecurity have an appropriate position within the organization, with necessary access to top management?


Clearly, this is only a start. I prefer to ask why management believes they have appropriate cyber security because I can base additional audit activities around it. If they can’t explain why, there is another problem entirely.

You may have noticed I am not mentioning any of the cybersecurity frameworks or standards. Each organization has to do what is right for them rather than adhere and comply with a generalized standard. Those pieces of guidance are valuable frames of reference, but compliance with a standard is not a guarantee of effective cybersecurity.


I hope this is food for the thoughts that you will share in the comments.

[1] Of course, it would be disingenuous not to recommend my own book, Making Business Sense of Technology Risk.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: