Workiva advert Ideagen advert TeamMate

Recognising internal audit’s role in cyber risk

Technical blog by Liz Sandwith, chief professional practice advisor | 19 July 2016


Last week, I attended the Institute’s Heads of Internal Audit Forum on Cyber Auditing. The discussion focused on the recognition that cyber security isn’t just an IT risk but it is an organisation-wide risk. The need for internal auditors to develop and grow their skillset - as more attacks are anticipated - continues. Future attacks have the potential to be even more damaging to businesses operations than the recent Wannacry and Petya breaches.

Internal auditors need to remind the board and audit committee that they can and should work with the business to provide the necessary assurances around internal control and risk management in relation to the current and future preparedness of their business if /when there is a cyber-attack.

As businesses are using the cloud to store their data, internal auditors need to be aware of the risks associated with data storage on the Cloud. In a report published by Lloyds of London earlier this week, it is estimated that the global costs of a malicious attack on a cloud service provider could amount to $53bn.  However, a speaker at the event from one of the firms was very clear in their view that the Cloud is probably currently one of the most secure places for an organisation to store data.

Many of the Cloud providers are reluctant to disclose any information on where the data is stored, which may well present an issue to your organisation. There are businesses in the UK who insist that data in relation to their customers/patients is held on servers located in the UK. In a Cloud data storage environment it may not be possible for either the business or internal audit to guarantee this. A Cloud provider is also unlikely to allow internal auditors to perform an audit even if there is a right of audit clause in the contract. Reliance then has to be placed on their published reported security measures and any internal audit assurances they may have in place.

Under GDPR it will be a companies’ responsibility to ensure that their data is protected – so internal audit will need to provide assurance that this is satisfactory. In order to do so, internal auditors may have to accept the published security measures and recognise that they cannot have access to the providers’ systems. So how can they provide an assurance to their organisation? Perhaps by understanding the key risks to their organisation and asking the ‘key risk’ questions of the Cloud provider and not being prepared to accept answers that simply focus on security?

Internal audit need to consider asking the following questions of itself and the business:

  1. Is the organisation performing an annual security strategy review? Does internal audit have the appropriate resources and staff in place to review and provide an assurance in relation to the outcomes from the annual security review?

  2. Does your organisation have a cyber incident policy? In the immediate aftermath of the WannaCry attack, many public sector bodies did not have the right software patches in place, leaving them even more vulnerable to attacks.

  3. Does your organisation ensure that staff from all levels are trained in recognising potential attacks and breaches? Key input into the training is the lessons learnt from work undertaken in other organisations, e.g. a NHS Trust in Leeds provided training to all staff in relation to phishing e-mails and then tested the effectiveness of the training by sending out a phishing e-mail. Around 4% of the staff who had undergone the training clicked on the e-mail and the attachment!

  4. Does your organisation formulate plans and strategies for improving cyber security risk management? Has your organisation assessed what your organisation’s ‘Crown Jewels’ are and protect them as effectively as possible? Understand potential sources of an attack, share your intelligence with key stakeholders in your organisation.

  5. If your organisation is thinking of working with any third-party providers, internal audit needs to ensure due diligence is top of the agenda and, if possible, work with the organisation to ensure that the due diligence is appropriate, pragmatic and proportionate. Thereby seeking to ensure that the supplier/third-party is complying with industry standards and regulations. To minimise exposure to risk, organisations need to implement a consistent monitoring programme to ensure that third-party operations continue to meet performance and compliance standards, perhaps through annual reviews, customer feedback etc.

  6. In order to protect your organisation from attacks, consideration needs to be given to implementing an identity and access management policy. In practice, this means that the right people access the right resources at the right times and for the right reasons.

For all of this, it is vital that you, as internal audit, have the support of everyone in your organisation. Boards, Audit Committees and senior management have prime responsibility for ensuring there are risk frameworks in place whereas internal audit has responsibility for providing the level of assurance sought by these key stakeholders and ensuring that both internal audit and the organisation learn from the failures of others.

Internal audit has a critical role to play in providing the level of assurance sought by the organisation that cyber security risks, controls, policies and procedures are fit for purpose and have been embedded across the organisation and are being adhered to. Internal audits’ continuous auditing regime will support such an approach.

The next forum for members of the Heads of Internal Audit Service will take place 14 September where we will be talking about ‘Blockchain and the impact on financial markets’.


Back to all blog posts

Content reviewed: 14 August 2017