Cyber security top of mind for auditors

Internal audit professionals are making strides in meeting cyber security and data privacy standards, although much work remains, according to a survey by Protiviti.

Many of the organizations surveyed rated themselves as less than “very effective” at addressing their cyber security risks. However, the self-rating results are significantly better for organizations in which the board of directors has a high level of engagement with information security risks, and those that include cybersecurity in the annual audit plan.

“Across the globe, businesses are continuing to experience cyber security issues, challenges, and breakdowns,” says Brian Christensen, executive vice-president, global internal audit and financial advisory, Protiviti. “Those professionals who continue to engage board members and define cyber security measures within their annual audit plans will be poised to effectively mitigate future threats.”

Top 5 identified

Survey participants cited the following as the top five most significant cybersecurity risks:

• Data security (company information)

• Brand/reputational damage

• Regulatory and compliance violations (tie)

• Data leakage (tie)

• Viruses and malware

More than 800 internal audit professionals, including chief audit executives, participated in Protiviti's ninth annual survey to assess the top priorities for internal audit functions. Along with a review of cybersecurity management and processes, the survey assessed general technical knowledge; audit process knowledge; and personal skills and capabilities.

A closer look at involving the board

Protiviti’s survey shows a clear, positive correlation between a high level of board engagement in information security (30% of respondents) and an organization’s ability to acceptably manage cyber security risk. There is a similar relationship between having defined cyber security measures in the annual audit plan and the successful management of cyber security risk.

For example:

• Nearly half of organizations with a high level of board engagement (47%) rate themselves as “very effective” at identifying cyber security risk, compared to just 19% of other organizations.

• Seventy percent of organizations that include cybersecurity in the audit plan have a cyber security risk strategy in place, compared to 42% of other companies.

• More than half of this year’s respondents (53%) note that cybersecurity evaluation has been included in their current audit planning. Of those organizations, 60% have used the NIST Cybersecurity Framework to measure and evaluate existing programs.

Across respondents, many CIOs have also taken particular interest in collaboration with the audit committee, reporting on both cybersecurity and IT related risks (43%).