With yet another potentially catastrophic data breach hitting Corporate America—add insurance giant Anthem to the list of recent victims—internal audit departments are trying to pinpoint what expertise they can bring to the company’s cyber-security risk assessment, and where they might need to rely on more technical help.
The good news, such that it is: There is plenty of work to do no matter what.
“There is so much technical nuance to cyber-security; when people hear terms like firewalls, domains, vulnerability testing, and segmented networks, a lot of internal auditors become intimidated,” says Tom O’Reilly, director of internal audit at Analog Devices. Even executive management and audit committees may wonder whether internal audit is up to the task of assessing a company’s vulnerability to a cyber-breach and readiness to address one when it occurs.
The answer is yes, O’Reilly says. “There are technical aspects of these projects, but regardless of the technicality, internal audit can add a lot of value to this.”
The debate over what internal audit can or cannot do is not uncommon, although it is perhaps renewed by the technical nature of cyber-threats now shaking Corporate America. “This is a criticism that has been in organizations since internal audit has existed,” says David Brand, global head of IT audit for Protiviti. “‘You don’t know my business. You’re not an expert in my area’—that’s just a stonewalling technique.”
In reality, Brand says, internal audit is equipped to do much of the work necessary for companies to grasp their cyber-risks. “Like most things, it’s 80 percent process-based,” he says. “It’s things that anyone with a good audit skill set should be able to review.”
Companies using the National Institute of Standards and Technology cyber-security framework (released last year) will find cyber-risk assessments to be a top-down exercise, he says. “The first questions are understand the business, the strategy, and objectives; what type of information the company produces; what it is the company wants to protect. Those are core questions. That doesn’t require a deep technical skill set.”
“There are technical aspects of these projects, but regardless of the technicality, internal audit can add a lot of value to this.”
Tom O’Reilly, Head of Internal Audit, Analog Devices
Richard Chambers, president and CEO of the Institute of Internal Auditors, says the current cyber-security threat is somewhat similar to the Y2K concern that gripped companies at the end of the 1990s. “It was a business process issue as much as it was an IT issue,” he says. “In that regard, cyber-security is not unlike a lot of business issues in terms of how internal audit would address it.”
Skip Westfall, managing director at Grant Thornton, says he sees companies getting away from the notion that cyber-security is an IT problem. “Because of recent breaches, the approach has been: We need to stop sitting back on our laurels and saying we checked the box. Are we doing all we can do on a day-to-day basis?” he says.
Shuaib Shakoor, a partner at internal audit outsourcing firm Sunera, says many companies still struggle to break away from a check-the-box approach to cyber-security concerns. The first step to taking initiative, he says, and gather the company’s experts in privacy, governance, IT, legal, and other areas to plan an approach. “Band together and figure out what you can do holistically as a company to come up with a preventive and a detective plan,” he says.
What’s In-House, What’s Out-House
Internal audit departments possess many of the skills and tools to perform the cyber-security risk assessment, O’Reilly says—especially if they have or (will soon have) implemented the new COSO framework for internal control over financial reporting. The framework is a useful tool for addressing cyber-security risks as well, audit experts say. “That’s something internal audit can definitely drive,” O’Reilly says.
INTERNAL AUDIT EXPECTATIONS
Below, PwC identifies what the audit committee should expect of internal audit in terms of data security.
Given that data security and privacy breaches can cost a company dearly in financial losses and market reputation, the firm’s board of directors will want to stay on top of these risks. Keeping the audit committee apprised of emerging risks and effective ways to address them is a key role of internal audit.
In the risk assessment report that it presents to the audit committee, internal audit should highlight the organization’s significant data security and privacy risks, including any new risks. Further, it should identify weaknesses in policies and controls. At one global financial services firm, for example, the internal audit function briefs the audit committee about risks it sees within the company, both present and potential. In turn, the company’s audit committee often alerts internal audit and management to emerging security issues that directors hear about at other firms with which they are involved. Such two-way exchanges between internal audit and the audit committee are invaluable in keeping the spotlight on emerging information security risks.
Because the nature of information security risks is evolving continuously, internal audit functions need to stay ahead of the threat curve. Internal audit functions should participate in numerous internal and external forums to stay plugged in to emerging security threats, and practices for protecting against them. Networking internally and externally on information security issues is vital to staying vigilant.
Internal audit’s role in ensuring that information security threats are properly considered becomes especially important when a company is ready to roll out a new business process, product, or information system. In such initiatives, the project team does not always believe it has time to fully consider data security, particularly if the initiative has fallen behind schedule. If internal audit stays on the sidelines, the company could rush into launching a new process, product, or system without adequate controls.
But recognizing information security threats and creating policies and procedures to defend against them becomes just an abstract exercise if functional managers and field personnel are not following those policies and procedures rigorously and consistently. Internal audit is uniquely positioned to assess whether existing controls are being used, but it must also keep its ear to the ground and move quickly to conduct special audits for new information security threats, which some executives consider as important as regularly scheduled audits.
Identifying and inventorying the company’s most important data is another task for internal audit to lead, O’Reilly says. “When someone asks, ‘What is the company’s most precious data?’ not every internal auditor or even management team would be able to talk about all the key documents or physical things that would include the company’s crown jewels,” he says. “So what is the key data? Where does it reside? Who has access to it? And test the rights to that data.” For public companies, this shouldn’t be a foreign exercise, as it’s already required for Sarbanes-Oxley compliance purposes, he says.
Internal audit might want to look for more advanced cyber-expertise as the analysis digs deeper into specific technical vulnerabilities. Carolyn Holcomb, a partner with PwC focused on privacy and cyber-security, says internal audit might be able to perform some vulnerability testing, but most companies will rely on IT or third parties to perform more technical attack-and-penetration studies. “That’s typically a management function,” she says. “If internal audit does performs such testing, it might impair their independence because internal audit departments should not be performing management functions.”
With vulnerabilities determined, internal audit can help illuminate the potential consequences of those vulnerabilities, as well as the controls in place (or the lack thereof) to remediate the risks. “Internal audit can walk through this process and tee up the questions, like any other accounting control testing,” O’Reilly says. By identifying the potential consequences of any weak spots, internal audit can help reach conclusions about whether the company is performing the right testing and protecting the right data, Westfall says.
Internal audit also can play a role in validating a company’s response plan, O’Reilly says. “What are the steps to be taken after a breach?” he asks. “Do we know what the intruder has accessed? How do you communicate with your suppliers, customers, other stakeholders?”
Theresa Grafenstine, inspector general of the U.S. House of Representatives and international vice president of ISACA, says government auditors have already been down this path and discovered they could learn a lot about the technical side of cyber-security risks by shadowing third parties who do the technical work. “It looks daunting, but you have to start somewhere,” she says. “If you keep relying on outside contractors, you never gain the skills yourself. So write into the contract as the contractors perform their audits, we want to sit with them through every step and learn.”
The task is a little less daunting, Grafenstine says, if internal audit departments accept that they can’t control all the risks, and instead focus on the biggest ones. “If you want to get your arms around the entire cyber-problem, that’s like boiling the ocean,” she says.
Internal audit departments also should prepare for a world where cyber-security risks are a subject to ongoing monitoring, rather than an annual or biannual exercise, Holcomb says. “There’s a lot of enthusiasm today about building a program and getting it into place,” she says. "We recommend that internal audit monitor and periodically test the effectiveness of the company's information security and privacy program."