Nearly three out of four (73%) organizations surveyed include cybersecurity risk in their internal 2016 audits, a 20% increase year-over-year, according to a new Protiviti Inc. report.
The 2016 Internal Audit Capabilities and Needs Survey report, titled Arriving at Internal Audit’s Tipping Point and Business Transformation, was released on Wednesday by the global consulting firm. It involved a survey of 1,333 respondents – the majority from North America – in the public, private, government and non-profit sectors and was representative of virtually all industry sectors. [click image below to enlarge]
The survey found that there are two critical success factors when establishing and maintaining an effective cybersecurity plan: a high level of engagement by the board of directors in information security risks and including the evaluation of cybersecurity risk in the current audit plan.
Companies with at least one of these success factors in place have a stronger risk posture to combat cyber threats, Protiviti noted in the report. For example, 92% of organizations with a high level of board engagement in IT risks have a cybersecurity risk strategy in place, compared to 77% of other organizations. Similarly, 83% of companies that include cybersecurity risk in the annual audit plan have a cybersecurity risk policy, versus 53% that do not include cybersecurity risk in their audit plans.
And, according to the report, 57% of companies surveyed have received inquiries from customers, clients and/or insurance providers about the organization’s state of cybersecurity.
In 2016, technology issues dominated the priority list for internal auditors. The top 10 priorities for internal audit are:
1. ISO 2700 (information security)
2. Mobile applications
3. NIST cybersecurity framework
4. GTAG 16 – Data Analysis Technologies
5. Internet of Things
6. Agile risk and compliance
7. ISO 14000 (environmental management)
8. Data analysis tools – statistical analysis
9. Country-specific ERM framework
10. Big data/business intelligence [click image below to enlarge]
“With most of the top priorities identified relating to IT risks, it’s clear that auditing IT has never been more important to internal audit functions and to the state of an organization’s overall risk profile,” said Brian Christensen, executive vice president, global internal audit with Protiviti, in a statement. “The rapid introduction of new technologies, combined with the growing frequency and magnitude of corporate cybersecurity lapses, is driving internal audit to increase its IT audit capabilities each year.”
With internal audit now at a “tipping point,” Christensen continued, these top priorities are more important than ever before. “If the internal audit function doesn’t keep up with the growth and innovation of companies, it will be left behind,” he said. “The time to act is now.”