An internal audit team can add significant value when it comes to technology risk, but should not take on the responsibility themselves.
While this post starts with an internal audit perspective, I close with how the board and top management should address the issue of information/cyber risk.
Protiviti believes, in An Involved and Agile IT Audit Function Is Key to Cybersecurity, that the internal audit team can add significant value when it comes to technology risk.
I tend to agree, but not in the same way that Protiviti suggests.
I do agree with these statements:
High-functioning audit teams help organizations look ahead to identify dangers and opportunities that lie on the road ahead. Getting ahead of the threats, rather than constantly reacting to their consequences, is what it’s all about.
There is a growing recognition that IT auditors need to be involved in the investment, planning, design and implementation phases of new technology projects as well as other, non-technology projects that have the potential to impact an organization’s security risk profile. Additionally, IT auditors should be considering whether their approach to cybersecurity risk assessments (often an annual, point-in-time activity) is sufficient given the rapidly evolving technology and threat landscapes.
I strongly agree with this:
Develop a view of cybersecurity risks focused on business services and outcomes rather than being viewed exclusively through a technology lens.
However, this should not (as implied by Protiviti) be an internal audit responsibility.
In fact, what is missing from the Protiviti piece is any assessment of management’s ability to understand technology-related business risks. Protiviti is marketing their own technology risk assessment methodology, which is a blend of top-down (i.e., considering the effect on the business and achievement of enterprise objectives of a failure relating to technology) and bottoms-up (the more traditional IT approach, starting with technology threats and vulnerabilities). I like the Protiviti approach (which is not at all new and should not be presented as such), but I don’t see it reflected sufficiently here.
Protiviti errs further, IMHO, when they say:
IT audit functions should ensure their cybersecurity risk assessments and supporting toolkits are designed and deployed to provide timely identification of key risks in an environment of rapidly evolving threats and technologies.
Internal audit should help management do this, with advice and insight, but should NEVER take on this responsibility themselves – or even consider it.
Frankly, I am concerned that most IT and information security functions don’t have the capability to:
- Understand all the cyber risks their organization faces today and tomorrow in this dynamic and turbulent environment, especially how it could affect the organization, its business, and its enterprise objectives
- Provide a reasonable level of prevention against cyber-attacks, whether internal or external
- Ensure breaches are detected PROMPTLY
- Ensure intruders are expelled PROMPTLY
- Ensure that they know what the intruders did and can mitigate any damage PROMPTLY
- Respond to the external stakeholders PROMPTLY and effectively
In the ‘old days’, when I was at times an IT auditor, responsible for information security, and then responsible for the internal audit function, I might have taken a different approach. I was fond of assessing the foundation for information security, including its resources (money and people) and positioning within the organization, policies, and acceptance by the rest of the organization. Then, I and my team would focus on the more significant areas of concern.
But today I would take a different approach.
These are the critical questions I would ask as a member of the board, as CEO, CIO, or as CFO.
- Do you (person responsible for information/cyber security, which should include the CEO and CIO) believe we have reasonable security? Is the risk at acceptable levels?
- If the answer is yes (which should rarely be the case):
- Why? What gives you this assurance? Would you bet your job on it?
- How do you know your risk assessment is reliable?
- How would the business and our objectives be affected?
- What confidence do you have that breaches would be prevented? Why? Is that an acceptable level of confidence?
- Do you believe you can keep out the most sophisticated attackers, such as from nation states’ cyber warfare teams? If yes, how? If not, why do you say risk is at acceptable levels?
- What confidence do you have that breaches would be detected on a timely basis so damage (including to our reputation) could be mitigated? How quickly would they be detected?
- Do you believe our response plan is effective? Why?
- Do you believe that we will continue to have effective information/cyber security as threats and techniques change, which they do?
- How and when will you communicate any change in the above or any successful intrusion?
- If the answer is no:
- What are you doing about it?
- Do you believe we will have effective information/cyber security within a very short time? If not, why not?
- Can we afford to try to do this in-house? Should we go to an external service provider?
- How are we addressing the risks this represents to the enterprise and its objectives? Do you know what they all are and do business leaders know?
Internal audit should always be auditing the risks of today and tomorrow – and ensuring that management knows what they are and has appropriate risk assessment and controls in place.
This is not new. Even when I started in IT audit, 40 years ago (OMG), we were performing ‘pre-implementation reviews’ and providing consulting services on major IT projects.
But, this is a new world and we need to re-examine traditional techniques for addressing technology risk.
Before assessing and testing controls, challenge management on whether they believe effective security is in place and why.
The effect of technology failures is simply too great not to.
I welcome your comments.