Factoring cyber risk into internal audit processMany companies are neglecting to assess vulnerabilities, a global survey shows. Experts offer advice to shore up cyber risks.
Data breaches can eviscerate a company’s bottom line, with compromised companies running the risk of hefty regulatory fines, battered reputations, and sudden drops in consumer confidence.
Despite that, many companies aren’t incorporating cyber risk assessments into their overall internal audit processes, an oversight that experts say is dangerous.
“Cyber risks may present the biggest off-balance-sheet risk that exists,” said Clay Young, Deloitte’s US IT internal audit practice leader and a risk and financial advisory partner. “If an organisation sustains a massive cyberattack, it can go from being financially healthy to at risk of failure.”
Half of the internal audit leaders responding to a recent survey didn’t conduct specific cyber risk assessments as part of their regular processes, according to Deloitte’s 2018 Global Chief Audit Executive Survey, which polled more than 1,100 internal audit leaders in 40 countries.
Those who did one found it worthwhile.
The Deloitte survey found that, of those who took stock of their cyber landscape, nearly three-quarters created a plan to incorporate cyber risk into the internal audit process.
There are several reasons companies don’t routinely look at the risk encapsulated in cybersecurity issues, from internal audit divisions not viewing cyber risk as a major priority to an overreliance on company IT leaders, Young said. Internal audit leaders can feel they don’t have the technical expertise to challenge the assessment of a chief information officer (CIO) and chief information security officer (CISO), and an IT expert may not be considering the full range of risk.
But internal audit executives need to take cybersecurity seriously and incorporate routine assessments into their processes.
Here are some tips of how to approach the issue.
Ask what’s happening
If your company isn’t conducting detailed cybersecurity risk assessments, don’t assume it isn’t doing anything at all, said Torpey White, CPA/CITP, CGMA, a Pennsylvania-based partner in Wipfli’s risk advisory and forensic services practice.
“Be very cautious and thoughtful about finding out what your organisation is doing,” White said.
Cybersecurity threats are constantly shifting, and your company’s CIO and CISO are likely well aware of the major breaches and trends. But they may not be as focused on less acute areas of risks, and an audit would help point out company-wide vulnerabilities that are less obvious to those in the cybersecurity threat trenches.
“It’s a matter of if they are reacting to things as they arise or if they are being proactive,” White said.
Having a robust cybersecurity plan is more than a good idea, said Emily Mossburg, a Deloitte risk and financial advisory principal and solutions leader for cyber risk services. It’s a necessity.
With the EU’s General Data Protection Regulation now in effect, and other nations and US states lining up similar data regulations, companies big and small have to be responsive to online vulnerabilities.
The US Securities and Exchange Commission beefed up its guidance on cybersecurity for public companies within the last year.
The SEC guidance requires public companies to have a risk assessment programme that focuses on data and to show how their boards of directors steered risk oversight to include data protection.
Internal auditors are well positioned to conduct assessments but may not be able to tell whether the IT department or CISO is doing enough to protect a company, Young said. That can be where it makes sense to bring in subject-matter specialists to help, Young said.
He said cybersecurity audits should encompass the full cybersecurity framework through a cyber governance assessment and move on from there.
Just don’t expect that initial assessment to answer all questions, Young said. “It is not intended to be an exhaustive analysis requiring extensive testing,” he said.
Those who sit on corporate and advisory boards play a central role in steering companies to account for cybersecurity issues.
“If you serve on a corporate board or lead an internal audit group, it is your duty and responsibility to raise the issue of cyber risk to the overall board — not just the audit committee alone — and management,” Young said.
He suggested board members become well versed on cyber issues. Having knowledge and understanding will be the most effective way to get your points about cyber vulnerabilities across, he said. Boards should also make sure to have at least one member with cybersecurity expertise to ensure oversight is adequate.
Don’t forget about partners
One of the biggest mistakes organisations make is to assume they’ve accounted for all their risk by looking only at what’s going on within their offices.
Some of the biggest risks could relate to the steps third-party contractors and vendors are taking to keep data safe and free from cyberattacks, White said.
White said that audit executives should be asking, “What do we know about our third-party vendors, and what are they doing?”
Many times, the relationship with a contractor or vendor focuses on the cost and initial negotiations, and there is little discussion about how vendors will be vigilant in their own data protection strategies, or who is on the hook if a major breach occurs.
White suggested checking routinely on third-party contracts to ensure that the terms for data protections, cyber risk assessment, and insurance coverage are being followed.
Building skilled teams
Internal audit division leaders will continue to face challenges in scrutinising cybersecurity issues, as technology and accompanying threats advance at breakneck speeds.
That, coupled with a move in some companies to migrate audit functions back in-house from outside consultants, underscores the need to build internal auditing teams conversant and comfortable with advanced technologies, according to a 2018 cybersecurity report from Crowe Horwath and the Internal Audit Foundation.
“Internal audit departments do not have to be populated by people who can write code, but it is important to have access to people who understand software development platforms and development languages,” the report states.
The report suggests recruiting individuals with backgrounds in software development, system administration, and network design and configuration.
— Sarah Ovaska-Few is a freelance writer based in the US. To comment on this article or to suggest an idea for another article, contact Neil Amato, an FM magazine senior editor, at Neil.Amato@aicpa-cima.com.