Internal audit has a critical role in helping organizations in the ongoing battle of managing cyber threats, both by providing an independent assessment of existing and needed controls, and helping the audit committee and board understand and address the diverse risks of the digital world.
Cyber risk and internal audit
The threat from cyberattacks is significant and continuously evolving. Many audit committees and boards have set an expectation for internal audit to understand and assess the organization’s capabilities in managing the associated risks. Our experience shows that an effective first step for internal audit is to conduct a cyber risk assessment and distill the findings into a concise summary for the audit committee and board which will then drive a risk-based, multiyear cybersecurity internal audit plan.
Third line of defense
Business units and the information technology (IT) function integrate cyber risk management into day-to-day decision making and operations and comprise an organization’s first line of defense. The second line includes information and technology risk management leaders who establish governance and oversight, monitor security operations, and take action as needed.
Increasingly, many companies are recognizing the need for a third line of cyber defense–independent review of security measures and performance by the internal audit function. Internal audit should play an integral role in assessing and identifying opportunities to strengthen enterprise security. At the same time, internal audit has a duty to inform the audit committee and board of directors that the controls for which they are responsible are in place and functioning correctly, a growing concern across boardrooms as directors face potential legal and financial liabilities.
Download the complete PDF Cybersecurity and the role of internal audit
Authors: Sandy Pundmann and Michael Juergens