Last week, I attended the Institute’s Heads of Internal Audit Forum on Cyber Auditing. The discussion focused on the recognition that cyber security isn’t just an IT risk but it is an organisation-wide risk. The need for internal auditors to develop and grow their skillset - as more attacks are anticipated - continues. Future attacks have the potential to be even more damaging to businesses operations than the recent Wannacry and Petya breaches.
Internal auditors need to remind the board and audit committee that they can and should work with the business to provide the necessary assurances around internal control and risk management in relation to the current and future preparedness of their business if /when there is a cyber-attack.
As businesses are using the cloud to store their data, internal auditors need to be aware of the risks associated with data storage on the Cloud. In a report published by Lloyds of London earlier this week, it is estimated that the global costs of a malicious attack on a cloud service provider could amount to $53bn. However, a speaker at the event from one of the firms was very clear in their view that the Cloud is probably currently one of the most secure places for an organisation to store data.
Many of the Cloud providers are reluctant to disclose any information on where the data is stored, which may well present an issue to your organisation. There are businesses in the UK who insist that data in relation to their customers/patients is held on servers located in the UK. In a Cloud data storage environment it may not be possible for either the business or internal audit to guarantee this. A Cloud provider is also unlikely to allow internal auditors to perform an audit even if there is a right of audit clause in the contract. Reliance then has to be placed on their published reported security measures and any internal audit assurances they may have in place.
Under GDPR it will be a companies’ responsibility to ensure that their data is protected – so internal audit will need to provide assurance that this is satisfactory. In order to do so, internal auditors may have to accept the published security measures and recognise that they cannot have access to the providers’ systems. So how can they provide an assurance to their organisation? Perhaps by understanding the key risks to their organisation and asking the ‘key risk’ questions of the Cloud provider and not being prepared to accept answers that simply focus on security?
Internal audit need to consider asking the following questions of itself and the business:
For all of this, it is vital that you, as internal audit, have the support of everyone in your organisation. Boards, Audit Committees and senior management have prime responsibility for ensuring there are risk frameworks in place whereas internal audit has responsibility for providing the level of assurance sought by these key stakeholders and ensuring that both internal audit and the organisation learn from the failures of others.
Internal audit has a critical role to play in providing the level of assurance sought by the organisation that cyber security risks, controls, policies and procedures are fit for purpose and have been embedded across the organisation and are being adhered to. Internal audits’ continuous auditing regime will support such an approach.
The next forum for members of the Heads of Internal Audit Service will take place 14 September where we will be talking about ‘Blockchain and the impact on financial markets’.