Internal auditors challenged by cyber-security, data quality

About half of internal audit leaders lack confidence in their staffs’ cyber-security expertise, and nearly half say internal audit has little or no involvement in evaluating the quality of data used in their organisation, according to a new survey.

Fifty-two per cent of the nearly 500 respondents to The Institute of Internal Auditors (IIA) North American pulse survey said that a lack of cyber-security expertise amongst internal audit staff very much or extremely affects internal audit’s ability to address cyber-security risk.

Just one-quarter of respondents who reported having a business continuity plan said their plan provides clear, specific procedures in response to a data breach. And 17% said their plans provide no data breach or cyber-attack procedures at all.

With regard to cyber-security, internal audit organisations primarily are focused on prevention. More than half (53%) of respondents said prevention efforts, such as hardening interior or external barriers, are the most effective method for addressing a cyber-attack.

“In the face of a cyber-attack, addressing business continuity and reputational risk are paramount, yet few organisations are taking time to think beyond prevention,” IIA President and CEO Richard Chambers said in a news release. “The IIA has been promoting cyber resiliency – the concept of addressing the full spectrum of prevention, detection, reaction, and restoration – for some time, so these findings are particularly alarming.”

Meanwhile, 47% of respondents said internal audit is slightly or not at all involved in evaluating the quality of data used in their organisation. Nearly one-quarter (23%) said they are slightly or not at all confident in their organisations’ data-based strategic decisions.

Other findings

  • The percentage of internal audit chiefs who report functionally to the audit committee or board of directors has risen (83%, up from 76% in 2013).
  • More than one-third (35%) project increases in their next internal audit budget, and more than half (55%) expect their next budget to remain the same as the current budget.
  • One-fourth expect internal audit staffing to increase, and 71% project that staffing will remain the same.

Ken Tysiac ( is a CGMA Magazine editorial director.