Companies have made big progress in the past year integrating cyber-security risk into internal audit plans, according to a new survey from Protiviti, the latest in a string of such surveys emerging before the Institute of Internal Auditors’ annual conference.
Nearly three out of every four organizations include cyber-security risk in their internal audit plans, the poll of more than 1,300 internal audit professionals showed, up from only half of organizations in 2015. Nearly 60 percent of auditors said their companies have received inquiries from customers, clients, or insurance providers about the entity’s readiness to withstand a cyber attack.
Protiviti says two factors emerged from the survey results as having a correlation to an effective cyber-security plan. Those include having a board of directors that is highly engaged on information security risks and the inclusion of an evaluation of cyber-security risk in the audit plan.
David Brand, managing director at Protiviti, says in a podcast on the survey results that many companies took up cyber-security risk in their internal audit plans in 2015 after President Obama’s 2013 directive around cyber-security led to a new NIST framework in 2014.
“If you think about the annual cycle of internal audit, this didn’t hit the risk assessment until the end of 2014, so we wouldn’t see a whole lot of activity until 2015,” he says. “So it’s not surprising that much of that has bled over and is now starting to be on plans for 2016.” Last year was the year of “high-level scans,” he says, while 2016 is a year for “much deeper dives.”
Aside from cyber-security specifically, internal audit is making great gains in their use of technology, the survey suggests, although there’s still plenty more progress to be made. “Internal auditors are making huge progress in the use of technology in the auditing process,” says Brand.
“Where they’re not making much progress is in going into the data analytics phase.” The topics has become an annual fixture in the firm’s survey, he says, with internal auditors recognizing a need to gain capability and make improvement. “We haven’t moved the needle significantly over the 10-year period.”
With respect to the external audit and cyber-security, the Center for Audit Quality recently issued a brief primer directed at audit stakeholder to explain how external auditors are approaching cyber-security risk as it applies to financial statements. The summary explains that external auditors are focused on a subset of the systems and data that might be subject to cyber-security risk because their purview is systems and controls that are key to financial statement assertions.