Article:

Cyber security - what heads of internal auditors need to know

15 October 2015

Cyber security is increasingly becoming a hot topic in meeting agendas for board meetings and audit committees. Boards are realising that cyber security is an area that needs to be actively measured and continuously monitored.

BDO provides cyber security services to clients in a number of industries, including:

  • Financial services
  • Retail
  • Social housing
  • Public
  • Not For Profit

We have seen an increase in the number of boards and audit committees discuss the results of our cyber security engagements. Not only have we found board members to be increasingly interested in cyber security threats, we have noticed increasing levels of maturity in senior management, non-executives and trustees’ understanding of cyber issues. In light of recent high profile incidents, it is now not uncommon for audit and risk committees to include the risk of cyber-attack as a key risk in their audit Terms of Reference.

With the increased attention to cyber security, internal auditors will need to assess their organisation's cyber security posture as part of their audit plans. Security audits will vary from high-level governance reviews to deep technical reviews. External technical expertise should be sought where internal capability is lacking. Outside advisors can provide up-to-date technology and benchmark results across an industry sector. Internal auditors can help drive the organisation's cyber security agenda by highlighting and assessing compliance against relevant security standard and frameworks such as Cyber Essentials, ISO 27001, COBIT and PCI DSS.

One key challenge facing internal audit and risk teams in organisations is the understanding of cyber security risks. Audit and risk professionals have a good understanding of risk and controls but limited understanding of the cyber security implications for their organisation. It is common to outsource cyber security to IT departments with auditors placing a high degree of assurance on the technical input provided by the IT function. The cyber security landscape is rapidly evolving and the right skills are in short supply. Internal auditors should consider very carefully the reliance placed on information received from those who are, effectively, the “first line of defence”.

The key area for boards, and therefore Heads of Internal Audit, in cyber security matters is governance. We suggest that this breaks down into two areas:

  1. Identifying the firm's key assets and affording them adequate protection, and
  2. Managing cyber security risks on an on-going basis.

Identifying critical assets is vital for an effective cyber security programme. All assets should be identified by working together with the business and IT staff members. Assets should be classified based on the criticality of the data to the business. An asset register is also useful for internal audit planning as it can help identify the organisation's crown jewels which would demand a higher level of assurance. Asset owners should be identified – including where data is held or processed by third parties such as outsourced suppliers. It is important to note that those responsible for day to day management or maintenance of systems (i.e.  the IT function) may not necessarily be the owners of the data held on the systems. The data owner of a data set should ideally be a senior person of authority in the team that deals with that data as part of their job responsibilities – not just allocated to someone in the IT department.

Once critical information assets are identified, the organisation's risk appetite for cyber security should be agreed. Internal audits should be planned to provide assurance to the board that the organisation's key data assets are being protected in line with its risk appetite.

In terms of on-going management, one of the key areas where we feel Heads of Internal Audit could be more proactive is around incident management. Given the current environment, how would your organisation respond to a direct cyber security threat? How often do you test your incident plan? Cyber security incidents can range from external targeted attacks to internal triggered breaches arising out of lack of awareness of policy. It is almost a given that any organisation, either big or small, will be faced with a cyber security incident of some sort or the other in today's age. The best an organisation can do is to secure its crown jewels and be equipped to adequately deal with incidents in a timely manner.

Heads of Internal Audit shoulder the key burden of providing assurance over the organisation’s cyber security threat. Depending on the organisation’s risk appetite, there are a variety of activities Heads of Internal Audit may recommend, ranging from information asset management and data flow analysis to staff training and penetration testing. These will help to ensure the organisation is adequately prepared to combat the growing cyber security threat.

Author: Omer Tariq, Senior Manager, Technology Risk Advisory