New survey finds that many internal audit departments are lagging behind on auditing cybersecurity

Internal audit departments appear to be falling behind on their ability to provide assurance that cybersecurity controls are in place and that cyber-risk is being managed.

The fact that internal audit is struggling on cybersecurity—along with the organization as a whole—may be painfully obvious from the level of successful cyber-attacks and other data-security breaches at large organizations in recent months, but new survey results indicate that internal audit is failing to bring the same rigor and expertise to cybersecurity as it brings to areas like financial reporting and compliance.

The report, from the Institute of Internal Auditors (IIA), finds that at some organizations there are no internal audit services related to cybersecurity being provided at all, and when those services are being provided, the vast majority of companies rely heavily on outside providers. According to the survey, Global Perspectives and Insights: Emerging Trends, one-fourth of respondents say that no internal audit services are provided at their organizations, 42 percent say cybersecurity-related internal audit services are co-sourced between internal audit and outside providers, 16 percent outsource them entirely, and another 16 percent say internal audit fully provides assurance over cybersecurity.

Auditing-Cyber-Graph1Survey results were based on 2,254 responses of internal audit professionals from 111 countries and territories. Fifty-two percent of respondents are the highest-ranking member of the internal audit department, or are directors or senior managers reporting to the CAE.

Perhaps the most troubling finding from the survey is why a quarter of internal audit departments don't audit cyber-security: 65 percent say the department lacks the skills and knowledge necessary to provide such services and 55 percent say internal audit lacks the tools necessary to do the job. Other reasons respondents provided for not auditing cybersecurity are that internal audit did not have the support of management to conduct such audits (19 percent), it didn't have the support of the board or audit committee (16 percent), or it didn't have the time (22 percent). (Respondents could provide more than one reason for not conducting cybersecurity audits.)

"While the profession is making clear strides, there remain opportunities for improvement as internal auditors work to more comprehensively address technology risks associated with cybersecurity and big data," said IIA President and CEO Richard F. Chambers. "Internal Audit must continue to focus on key emerging issues, particularly technology and organizational culture."

Why Audit Cybersecurity?
Indeed, the support of boards and management is highly correlated with internal audit departments that audit cybersecurity. When internal auditors that do were asked what drives them to conduct such audits, 34 percent said it was a board or audit committee request, and 28 percent said it was a management request. Others reasons for auditing cybersecurity include: it was rated a high risk (74 percent), the chief audit executive raised the issue during the audit planning process (63 percent), or that the organization had experienced a cybersecurity-related event. (Again, the survey permitted respondents to provide more than one reason.)

Auditing-Cyber-Graph2The news wasn't all bad. According to the survey, internal audits have a greater appreciation of cybersecurity risks than in past years. Indeed, 93 percent of those who completed the survey said that their internal audit department understands the risks associated with cybersecurity.

Getting It Turned Around
In addition, the report's authors provided some potential solutions to address shortcomings in auditing cybersecurity. "First, it all starts with having or obtaining the requisite competencies and tools to audit cybersecurity," the IIA wrote. It went on to say that obtaining those resources could be tied to garnering support from the board and C-Suite.

The report also advised internal audit leaders to foster a collaborative effort that includes trusted partnerships with executive management, the chief information officer, the chief information security officer, and those working on data privacy. It also urged internal auditors to follow the lead of those who have made strides in the area. "Internal audit leaders may need to be the catalyst for the organization to place the right emphasis on the ever-increasing importance of cybersecurity," the report's authors concluded.