Most auditors learn about IT but don’t come from IT backgrounds. Whereas auditing financial accounting is pretty straightforward, both IT and finance auditors tend to struggle in this brave new world of auditing cybersecurity.
Whether you’re an IT auditor or an auditor integrating cybersecurity into a larger (i.e., finance) audit, you’ll have to write to your audit committee in understandable terms and communicate helpful root causes and risks. Since the cards might feel a little stacked against the auditor at the cybersecurity table, let’s define a few Aces in the hand that you can use when you’re auditing cybersecurity.
Leverage Existing Frameworks
One reason for the auditor’s possible struggle is that cyber has been slow to develop a common language akin to the Generally Accepted Accounting Principles (GAAP) that auditors use for financial audits. For example, auditors find themselves stuck between the techie jargon that an IT team may use to describe a cyber tactic (What is spear-phishing anyway?) and the normal words an executive might understand (“An attacker sent emails addressed from the CEO”).
Tony Sager is the Senior Vice President and Chief Evangelist for the Center for Internet Security (CIS). Sager points out that “in cybersecurity, you can always generate really big lists of things to do but no one will ever do them. The trick is to prioritize what to do first.”
But how do auditors even begin to navigate and prioritize the great and spacious world of cybersecurity? They use a framework.
The NIST Cybersecurity Framework (CSF) provides guidance for how organizations can assess and improve in order to prevent, detect, and respond to cyber attacks. Released in 2014, the CSF provides the closest framework for helping auditors (like GAAP does for finance), although there is still a bit of grasping to standardize cybersecurity.
While the CSF stays at the management level of discussion, it points to companies like CIS and their programs (CIS Controls) for the specifics of implementation. CIS Controls is a list of the top 20 action items a company should have in place to protect against the most pervasive cyber attacks. What’s great about a list like CIS Controls is auditors can leverage the list to define the scope of the cybersecurity audit.
Ask the Right Questions
Once you have a framework and list, auditors must break down tech jargon into simple action items and questions that they can ask their audit client. Once again, the CIS Controls list strives to simplify the jargon as much as possible to make it understandable to all folks.
For example, IT might list, “Minimize the use of administrative privileges,” but this could be vague to both the auditor and the client. Instead, CIS uses a questioning technique: “Do you know who has the ability to change or bypass the security of your systems?” Where clients might not understand how to minimize admin privileges, they can certainly consider and answer the second question about who can bypass security.
Having a prioritized list of what to check first (and how to ask it) in cybersecurity is helpful for an auditor. Once security gaps are flagged, auditors should evaluate possible risks and solutions for the company.
Consider Users as a Security Risk and Moderator
Users are a large threat to cybersecurity. With changing technologies (cloud, mobile, and social platforms) and changing business models (outsourcing, contracting, and a remote workforce), companies have a broader surface that is left vulnerable to cyber attacks. These types of technologies and business models share one thing in common: users.
Users work from home, post to social media, and use the cloud. Vendors that provide cybersecurity support (firewalls, encryption, and anti-malware) certainly have their place in protection. But it’s the users that can be the greatest risk to cybersecurity in a company. Auditors work closely with the business and its users and can play a unique role in educating users in cybersecurity.
Employees need ongoing training to combat ever-changing cybersecurity threats. As an auditor, take time to note how the company is training their employees. Then share both best practices and areas of improvement. Ask questions such as:
1. Do employees know the implications of a security breach?
2. Is there clear guidance on use of social media or how to respond to a phishing attack?
3. Are there incentives for promoting security in an organization?
In cybersecurity, education is power. When it comes to audit reporting, report both the positives and negatives of how users are educated in cybersecurity. Your insight can help the company formulate an overall cybersecurity training plan going forward.
Audit and Test for Business Continuity (BCP) and Disaster Response Plans (DRP)
Auditors should test whether crisis management and resiliency is in place. Looking at the BCP and DRP is not enough though. Analyze whether the plans in place have actually been tested and are effective for current cybersecurity conditions. Sometimes the plans in place have been mostly tested but not fully tested. Sometimes the current plans need to be updated or changed to reflect the current risk environment.
Some companies may have a detailed and automated Disaster Recovery Plan that uses the cloud to get systems up and running. But has the company considered the implications of a poor Business Continuity plan? In other words, when a disaster hits – an earthquake or hurricane or massive blackout or something else – the DR product the company purchased uses a cloud-based service to automatically get systems up and going. That’s great and all but what if, because of the disaster, there’s no one to run the system that is up and running? The ship is sailing without anyone at the helm! That’s where a strong BCP is needed. Who will take care of the company when no one can access the company?
Disasters can be fertile grounds for cyber attacks. As an auditor, it’s important to consider the strength and resilience of both the BCP and DRP. Examples of questions to consider include:
- Who will run the system if the building or city is off limits?
- Do the employees have somewhere else to work?
- Who will respond to website queries and run payroll?
Gather proof that the company tests the plans consistently and has a proactive (and automated) monitoring process to flag cyber issues or attacks. Then make sure there’s a plan for when things get back online.
Focus More on Vulnerabilities, Less on Compliance
Auditors can sometimes worry about risks that pose no actual threat to an asset in the company. In the past, auditors would audit compliance to processes or policies. However, this approach is becoming ineffective because it can overlook the mutating environment of cybersecurity. Perhaps policies are outdated, and there is a place to update those policies. But an outdated cybersecurity policy is probably not the biggest threat to the company. The biggest threats are gaps left in planning or processes that require prompt attention.
Risks that focus on compliance instead of exposing true vulnerabilities can waste the time of the auditor and the reader.
Cyber attacks carry the same risks as other audit risks found in the company. These risks include the following:
- Financial fraud
- Reputation damage
- Threats to health and safety
Note that these risks do not focus on compliance. They focus on what could actually happen to the company. Cyber risks should be addressed with specific detail in the words used to describe the risk.
Within the realm of each risk above, write in primary terms by focusing on solid nouns and verbs. Be specific in your subject (noun) and what could happen (verb). Don’t settle with “A cyber attack could cause reputational damage,” or worse, “Non-compliance to cybersecurity policies led to x, y, and z.” That last example isn’t even a risk, but companies use a variation of it all the time.
Instead, make the risk useful. Explain specific implications! The following lists a few ideas of good nouns, verbs, and adjectives to use as you delve into the specifics of the risks listed above.
attacker, customer, customer statements, consumer data, hardware, reports, software
abuse, corrupt, damage, disrupt, destroy, delete, forge, sabotage, steal, tamper
confidential, sensitive, unrecoverable, without detection
For example, if reputation is at stake, a specific and definitive risk could be “An attacker could sabotage confidential consumer data.”
Auditors are uniquely positioned to make sense out of the technical. You can read more about what your audience needs here. Chances are your final audience (the executive and the Audit Committee) doesn’t speak cyber talk. That’s why it’s important to understand your audience, speak their language, address their needs and the security needs of the company, and be clear in your communication.