Internal auditors and other audit professionals place concerns about data security among their top priorities, according to Protiviti’s 2015 Internal Audit Capabilities and Needs Survey.
With organizations becoming increasingly vulnerable to cyberattacks, the annual Protiviti survey added a section explicitly to consider the chief audit executives’ and internal auditors’ roles and responsibilities relating to cybersecurity. More than 800 audit professionals participated in the 2015 study.
The survey revealed three key points:
- Cybersecurity risk management must be improved significantly. Less than a third of organizations said that they are currently “very effective” at managing the risk at an “acceptable level.”
- Organizations that are most successful in managing cybersecurity risk include it as part of their audit plans and have boards of directors that are “highly engaged” in managing the risk.
- Worries about cybersecurity risk are most frequently centered on the areas of “company information, brand and reputation damage, regulatory compliance, and loss of employees’ personal information.”
In rating the level of cybersecurity risk to their organizations, the audit professionals placed company data security at the top. On a scale of 1-10, with 10 representing the greatest risk, data security was rated at 7.9, with damage to brand or reputation following closely at 7.7.
Both regulatory and compliance violations and data leakage (personal employee information) rated 7.5. Viruses and malware came in at 7.3 and interrupted business continuity at 7.2.
Financial loss ranked seventh at 6.8, and loss of intellectual property eighth at 6.6. Loss of employee productivity (6.4) and employee defamation (5.8) rounded out the perceived top 10 cybersecurity threats.
According to 40 percent of those surveyed, identifying risk and control problems earlier is the most valuable means of addressing cybersecurity risk. They viewed complying with regulations (16 percent) and monitoring reputation risk (15 percent) as much less valuable.
Other means of countering cybersecurity risk mentioned were the overall business strategy (11 percent), validation of control effectiveness or failure (10 percent), improved operational performance (5 percent), and cost recovery or improvement (3 percent).
A cybersecurity risk strategy/policy has been instituted at more than 50 percent of the organizations involved in the survey. And most of the organizations at least have a method of assessing cybersecurity risk.
The survey found levels of involvement in cybersecurity risk assessment, ranging from significant to none, by different individuals and groups within the organizations. The following percentages of organizations had certain individuals and groups who were significantly involved in assessing their cybersecurity risk:
- 69 percent – human resource department
- 48 percent – internal and IT auditors
- 44 percent – executive management
- 33 percent – company IT representatives
- 31 percent – legal department
The following percentages of organizations experienced moderate involvement by specific individuals and groups:
- 47 percent – company IT representatives
- 46 percent – external auditors
- 43 percent – audit committees
- 41 percent – executive management
Considering the negative impact of a cyberattack, it may be somewhat surprising that 28 percent of organizations had audit committees that were only minimally involved in cybersecurity risk assessment and 12 percent had audit committees with no involvement. Also, the legal departments at 19 percent of organizations had minimal cybersecurity involvement, and they were not at all involved at 16 percent of organizations.
These involvement percentages were strongly influenced by how engaged an organization’s board was in cybersecurity issues and by whether cybersecurity was part of an organization’s audit plan.
Here briefly are some of Protiviti’s recommendations to internal auditors and chief audit executives for improving their organizations’ cybersecurity:
- A cybersecurity strategy/policy
- Development of “very effective” means to identify, assess and mitigate cybersecurity risk
- Recognition that employees or business partners can be threats to cybersecurity
- Engagement of board members in cybersecurity risk concerns
- Inclusion of cybersecurity risk in the audit plan
- Up-to-date awareness of emerging technologies that could affect the organization’s cybersecurity
- A top management priority of cybersecurity monitoring and “cyber-incident” response
- Sufficient IT/audit staffing and resources