Organizations of all types are becoming more vulnerable to cyber threats due to their increasing reliance on computers, networks, programs and applications, social media, and data. Security breaches can negatively impact organizations and their customers, both financially and in terms of reputation. Global connectivity and accessibility to information by users outside the organization increase risk beyond what has been historically addressed by IT general and application controls. Organizations’ reliance on information systems and the development of new technologies render traditional evaluations of IT general and application controls insufficient to provide assurance over cybersecurity.
Cybersecurity refers to the technologies, processes, and practices designed to protect an organization’s information assets — computers, networks, programs, and data — from unauthorized access. With the frequency and severity of cyberattacks on the rise, there is a significant need for improved cybersecurity risk management.
The internal audit activity plays a crucial role in assessing an organization’s cybersecurity risks by considering:
- Who has access to the organization’s most valuable information?
- Which assets are the likeliest targets for cyberattacks?
- Which systems would cause the most significant disruption if compromised?
- Which data, if obtained by unauthorized parties, would cause financial or competitive loss, legal ramifications, or reputational damage to the organization?
- Is management prepared to react timely if a cybersecurity incident occurred?
This practice guide discusses the internal audit activity’s role in cybersecurity, including:
- The role of the chief audit executive (CAE) related to assurance, governance, risk, and cyber threats.
- Assessing inherent risks and threats.
- The first, second, and third lines of defense roles and responsibilities related to risk management, controls, and governance.
- Where gaps in assurance may occur.
- The reporting responsibilities of the internal audit activity.
In addition, the guide explores emerging risks and common threats faced by all three lines of defense and presents a straightforward approach to assessing cybersecurity risks and controls.
Download Assessing Cybersecurity Risk for free