IIA Says Internal Audit Should Go Beyond Audits to Advising on Cyber-Threats

There isn't a company out there, big or small, that doesn't have some concerns about cybersecurity. Some have called it the biggest problem of our time for companies. Given the potential for the types of disasters Target, Sony, and so many others have experienced, it's no surprise that internal audit has played an important role in ensuring that cybersecurity systems are in place and functioning.

Yet, that may not be enough. The Institute of Internal Auditors recently called on internal auditors to play a more significant role in protecting companies from hackers and data breaches. A new report, Internal Audit as Trusted Cyber-Adviser, outlines the steps heads of internal audit should take to become significant contributors to cybersecurity efforts.

"Audit leaders must go beyond simply ensuring cybersecurity audits are executed according to plan and instead bring a strategic and anticipatory approach to the problem," the report states.

The IIA report also urges more cooperation between internal audit and IT executives. It advises heads of audit to build relationships with the chief information officer and chief information security officer to gain a clear understanding of what security and IT teams need. Additionally, heads of audit must be familiar with all "cyber pathways" in and out of the organization. Another key to success is buy-in from the top in support of internal audit's efforts, it says.

Keeping Up with the Threat

Among the recommendations for audit leaders, the IIA suggests audit executives do a better job of educating themselves about the potential threats. "CAEs must also advise on current cybersecurity projects and whether these projects are effective in mitigating the risks being faced, make efficient use of resources to direct effort at the most important risks, and are robust and rigorous enough to prevent and detect threats," the report states.

"CAEs may find they can be most effective in their cybersecurity-related reporting responsibilities by focusing on trends in the industry, such as upcoming changes in regulation, new insurance coverage requirements, and new class-action lawsuits."
"Beyond efforts to block cyberattacks and data breeches, audit leaders must embrace the concept of cyber resiliency, a holistic view of how the organization plans for and responds to a successful cyberattack," the IIA writes.

The report, released at The Institute of Internal Auditor's 2016 International Conference, is part of the Global Perspectives and Insights series, which looks at key issues and challenges facing the profession and offers insights and direction on how best to address them.