With the internal audit profession’s annual gathering just around the corner, another annual survey result is emerging to suggest internal audit departments are working hard to get their arms around cyber-risks.
Protiviti released the results of its survey to show internal auditors are making some improvements in auditing IT security, using computer-assisted audit tools, monitoring fraud, and marketing internal audit internally. The survey of more than 800 internal audit professionals says internal auditors report a clear, positive correlation between a high level of board engagement in information security and a company’s ability to acceptably manage its cyber-security risks.
More than half of internal auditors said a cyber-security evaluation is included in their current audit plan, and 60 percent of those organizations are using the National Institute of Standards and Technology cyber-security framework to measure and evaluate risks. Nearly half of organizations with a high level of board engagement say they are “very effective” at identifying cyber-security risk; 70 percent of organizations that include cyber-security in the audit plan have a cyber-security risk strategy in place.
“Across the globe, businesses are continuing to experience cyber-security issues, challenges and breakdowns,” said Brian Christensen, executive vice president at Protiviti. “Our survey shines a light on the evolving set of challenges faced by internal audit professionals as they work to incorporate cyber-security frameworks into business processes. Those professionals who continue to engage board members and define cyber-security measures within their annual audit plans will be poised to effectively mitigate future threats.”
The Institute of Internal Auditors, host to the annual General Audit Management conference, says its annual “North American Pulse of Internal Audit” will also show audit executives are heavily focused on cyber-security risks. It also will show 4 in 10 chief audit executives believe attracting and retaining skilled audit talent is a high or critical priority. More than half said increased competition for limited talent has left a skills gap on their audit teams. The problem is particularly troublesome when trying to hire internal auditors with skills in IT, cyber-security and privacy, and data mining and analytics, according to the IIA report.
Grant Thornton earlier released survey results to show internal audit and audit committees are not always prioritizing risks in the same way, with audit committees focused primarily on financial risks and internal audit executives giving compliance risks highest priority.