Can internal auditors audit cyber or risk management?
One of the commenters on my last post on audits of cybersecurity said that providing assurance on such a technical area is beyond the ability of internal auditors.
He has a point!
- First, I don’t have a lot of confidence that InfoSec practitioners have the right cybersecurity in place for their organizations as few seem to be focused on enterprise business risk. They are following guidance from NIST, ISO, and others that treat information security in a silo.
Business executives and boards appear reluctant to give InfoSec practitioners all the support and resources they desire, and in my opinion it is because the case has not been made that the funds and attention are needed on business grounds. The only case being made is in technobabble, based on a list of high-risk information assets instead of the result of an analysis of how the business might be adversely affected.
If those in charge, with all the training and experience in the world, are having trouble implementing and maintaining systems and processes they and top management believe are fully effective, then why should we expect internal auditors to know whether information security is adequate?
- Then, there aren’t enough internal auditors who both have a deep understanding of the business (essential for everyone) and have more than a basic appreciation of what it takes to protect an organization’s systems and information – and the technical world of cyber is constantly changing. Training they may have received in 2020 may not be sufficient in 2021 and beyond.
XX
But I believe internal audit can and should provide the assurance, advice, and insight top management and the board need.
I suggested in my last post that internal auditors should take this approach:
- Examine the foundation of information security before looking at any detailed defenses. I had a separate audit of this performed at one company. It assessed the context for information security, including the effectiveness of related risk management, the staffing level and competence of the team, the position of the CISO in the organization, and so on.
- Have management explain why they believe cybersecurity is effective. You don’t need the same level of technical expertise for this as you would for trying on your own to audit the technical details of protection, monitoring, detection, and response mechanisms. The answers will give you great insights, especially if you discuss them without blame or judgment with both operating and technical management.
- Audit in more depth only those areas of cyber that represent the greatest risk to the business. In other words, I would perform a series of audits starting with the foundation and progressing to focused areas of concern.
- Work towards an opinion on how management is maintaining information security over time rather than seeking to reach an opinion whether it is sufficient at any point in time.
XX
Saying that you can’t audit InfoSec because you lack the technical skills is not, in my opinion, acceptable. If you can’t hire the people you need, then co-source expertise. If you are not given the budget to do either, you have a very much more significant problem with confidence in and support for internal audit!
In each of my companies, I made sure that between people on my team and those I brought in as co-source partners, I had the requisite skills and experience to provide a professional opinion on how management was addressing cybersecurity.
For example, at Tosco in the early years, I used Arthur Andersen to perform white hat penetration audits. In later years, I had an IT auditor on staff (Alan Proctor) who had better information security skills than most of the IT Security team. (As a matter of interest, most of the latter had been hired out of my IT audit team.) The other IT auditors, and there were several, had a great combination of business and technical skills, albeit not at Alan’s level. At Business Objects, the individual with the strongest technical skills in the company was one of my IT Audit Managers, Tabitha Gallo.
I am comfortable that I had the resources to audit and provide assurance on cyber at each of my companies. My teams worked to improve information security so that it met the needs of the company, rather than score points by finding holes in the defenses.
I should add that we audited InfoSec within the context of the business and other, operational controls.
XX
Auditing risk management is another challenge.
Just as I said with cybersecurity, I am not confident that many risk management programs meet the needs of the enterprise. The great majority are focused on avoiding failure rather than enabling the informed and intelligent decisions necessary for success.
The IIA has a Certification in Risk Management Assurance (CRMA), a credential that I have myself. You can see the syllabus on their web site. The only prerequisites are that you hold a CIA certification and have 5 years of either internal audit or risk management experience. There is no requirement that you have any experience in auditing risk management.
While I believe the credential has value, I am not persuaded that those who pass the exam are immediately qualified to audit and then express an opinion on whether risk management meets the needs of the organization. That takes more business experience and insight, as well as a broader understanding of what it takes for risk management to be effective. For example, how risk management enables the informed setting of objectives and the weighing of risk and reward in decision-making.
The syllabus appears to me to be, again, focused on avoiding harm rather than achieving success through informed and intelligent decisions.
But I believe internal audit can and should provide assurance, advice, and insight on risk management. It will usually require the involvement and judgment of the CAE working with the CEO and other executives.
XX
I have said in my books and writing in this blog that I like using a maturity model when reporting on an entity’s risk management programs – and include a very comprehensive one in Risk Management for Success.
Comcover, the Australian Government’s self-managed insurance fund, has shared a risk management maturity model that may not be as extensive as mine but is free. It has quite a lot of detail and I recommend its consideration.
Any maturity model should be tailored for your specific organization.
XX
Returning to the question, can internal auditors provide a valuable opinion on risk management?
I believe the answer is yes. They can and they should.
But they need to understand, as a prerequisite:
- The business: its operations, people, and processes.
- The capabilities and objectives of the business.
- That effective risk management is more than an insurance or compliance function. It is not the periodic review of a list of risks. It is about enabling success.
As with cyber, I like the idea of asking management at various levels whether they believe risk management:
- is effective,
- helps them make informed and intelligent decisions, both tactical and strategic, and
- helps them achieve personal, departmental, and enterprise goals.
If they say yes, then we need to ask why and how. If they answer no to any, we explore what is holding the organization back.
XX
I welcome your thoughts.
Leave a reply to Andy Gill Cancel reply
Norman Marks on Governance, Risk Management, and Internal Audit 
A very good approach. I particularly like the idea of asking management at various levels your three risk management questions – if the answers are anything but yes, then their risk management is more of an administrative burden fulfilling an existential compliance requirement rather than being part of the organisational DNA. The questions serve as an effective guide for the focus of a review.
Thank you, John
It is a good approach. I see the Auditing as an independent field of expertise has evolved over a period of time with its own tools and techniques for providing assurance. Of course, these tools/ techniques need to undergo continuous testing for its effectiveness and its liveliness given the speed of evolution in the other fields such as Info sec or Risk Management etc., But It does not mean that the auditing of certain domains is beyond the scope or efficiency of Auditing.
Ermmm, maybe not in all countries, but in a lot already: IS Auditors (sometimes called IT auditors since the T seems to be beyond the grasp of those not schooled to understand basic modern tech). The better ones are (at least were ..!) trained in ‘accountancy’ (including ‘governance’ and ‘control’ stuff also of intricacies and business risks of/in the various *business* processes!) *and* technology *and* infosec.
Some countries seem to not be able to see that ‘auditing’ isn’t only about matching debit with credit or babbling away about ‘governance’ without making a (any) dent.
Not every sandhog ‘is’/ knows how to be an SAS man. Don’t expect them to be, or from knowing the sandhog dismiss the possibility the SAS exists.
Your comment on having Management provide their justification why *they* believe cyber security or risk management is effective is key. A control structure (and controls) without effective KPIs (a form of monitoring) is not under control. As an independent reviewer I should be able to assess Management’s KPIs for completeness, accuracy, validity, timeliness, etc.
Thank you. This post gave me an insight on how I can approach infosec during audits. I usually tend to avoid getting into this area due to lack of knowledge. But ICS is going to be the need of the hour now and this post got me looking at courses to get me started on ICS.