PwC: Internal audit has to play a more substantial role in information security

Most companies fail to adequately monitor and update their defences against cybercriminals, raising the risk of costly data security breaches, according to PwC.

Fortifying Your Defenses: The Role of Internal Audit in Assuring Data Security and Privacy, a PwC white paper, asserts that the increasing frequency and sophistication of hacker attacks require companies to do more than simply establishing a data security protocol. PwC proposes a three-pronged approach that gives the internal audit department a crucial role in providing assurance about the controls and policies governing the company’s efforts to safeguard the privacy of its data.

The number of data security breaches is on the rise, according to a database maintained by the Open Security Foundation. The database shows 879 publicly reported incidents of loss, theft or exposure of personally identifiable information so far in 2012. That is on pace to top the 2011 total of 1,037, which itself was an almost 30% increase from 2010.

There are several reasons for the rise in successful hacks of corporate computer records, PwC said:

  • Companies and their employees continue to increase their activity on the internet, thanks in part to the growth of user-friendly technologies such as mobile devices and cloud computing. Unfortunately, those user-friendly technologies often are hacker-friendly as well. A 2011 study by the Ponemon Institute found that 28% of digital security breaches occurred remotely among the mobile workforce.

  • Companies today collect and store unprecedented amounts of personal data on customers and employees, creating an inviting target for hackers.

  • Companies have boosted spending on cybersecurity and implemented policies that often are comprehensive. However, companies often do not have anyone checking to make sure that employees are following the security protocols.

  • Companies are not reviewing their cybersecurity policies often enough to ensure they are effective against new threats. In 2011, only 39% of nearly 10,000 executives in 138 countries said they reviewed their privacy policies annually, according to a PwC survey. That was down from 52% in 2009.

Data security failures can cost a company in several ways. Fines for a single incident have reached as high as $15 million. Legal, IT recovery and other costs can be several times that. Violations of data security laws can lead to increased regulatory oversight. And then there’s the damage to reputation.

Depending on the nature of the breach (for example, the scale and type of data lost), 850 senior-level executives interviewed by Ponemon estimated that the average damage of a security breach to their company’s brand would run from $184 million to more than $330 million.

“Despite all the attention around data security, the risk of breaches is only getting worse with severe ramifications, not only in terms of dollar costs, but also management attention and company reputation,” Dean Simone, leader of PwC’s US risk assurance practice, said in a news release. “To battle the ever-changing hacker profiles and accelerating rate of technological change, companies need to constantly re-evaluate their privacy and security plans.”

Three lines of defence

To shore up their defences against cybercriminals, companies should institute three lines of defence, PwC says:

  1. Management. The most effective information security initiatives are overseen at the management level. Management assumes responsibility for assessing, controlling and mitigating data security risks.
  2. Risk management and compliance functions. Companies should set up working groups and committees to develop security policies and controls and also to monitor the ongoing effectiveness of those policies and controls.
  3. Internal audit. The internal audit team is responsible for providing objective assurance to the board and executive management on how effectively the company assesses and manages its cybersecurity risks. Without this assurance, which internal audit is often qualified to provide, the company runs a greater risk of its security and privacy practices becoming inadequate or even obsolete.

“No matter how strong a company’s data security policies and controls are, a company won’t really know the adequacy of its defence if it doesn’t continually verify that those defences are sound, uncompromised and applied in a consistent manner,” said Jason Pett, PwC’s US internal audit services leader, in a news release. “Internal audit has to play a far more substantial role in information security, and audit committees must also increase their attention on the increasing risk, heightening the expectations they place on internal audit to place adequate focus on data security and privacy concerns.”

Internal audit should include significant data security and privacy risks in the risk-assessment reports it presents to the company’s audit committee, PwC says. Internal audit also should identify weaknesses and controls. Companies should instruct internal audit to learn about and stay abreast of the latest information security threats.

For the three-pronged approach to work, PwC said, companies must overcome several barriers:

  1. A managerial mind-set that believes adequate controls are in place.
  2. A reluctance to spend the money and time necessary to implement and maintain effective information security.
  3. A lack of confidence in internal audit’s ability to assess data privacy and IT controls. PwC recommends that companies hire new staff who are experts in privacy and cybersecurity controls, or provide training to current staff to bring them to expert level.
  4. A fragmentation of responsibility for IT security controls among several teams, such as legal, finance and IT. PwC recommends assigning one person the responsibility of overseeing information security. This role could be handled by an information security officer, the general counsel, the chief risk officer or an executive on the management committee.

“In order to effectively monitor and communicate the risks of data security, all companies need internal audit to serve as that strong third line of defence,” Pett said.

Jeff Drew ( is a CGMA Magazine senior editor.