March 4, 2015 by Canadian Underwriter
A study from global consulting firm Protiviti said that while many organizations rate themselves as less than “very effective” at addressing their cybersecurity risks, the results are significantly better for organizations in which the board of directors has a high level of engagement with information security risks, and those that include cybersecurity in the annual audit plan.
The study, From Cybersecurity to Collaboration: Assessing the Top Priorities for Internal Audit Functions was released on Tuesday and included more than 800 internal audit professionals, including chief audit executives. Along with a review of cybersecurity management and processes, the survey assessed general technical knowledge, audit process knowledge, and personal skills and capabilities.
“Across the globe, businesses are continuing to experience cybersecurity issues, challenges and breakdowns,” said Brian Christensen, Protiviti’s executive vice president (pictured, left), global internal audit and financial advisory, in a release. “Our survey shines a light on the evolving set of challenges faced by internal audit professionals as they work to incorporate cybersecurity frameworks into business processes. Those professionals who continue to engage board members and define cybersecurity measures within their annual audit plans will be poised to effectively mitigate future threats.”
The survey shows a clear, positive correlation between a high level of board engagement in information security (30% of respondents) and an organization’s ability to acceptably manage cybersecurity risk. There is a similar relationship between having defined cybersecurity measures in the annual audit plan and the successful management of cybersecurity risk. For example, nearly half of organizations with a high level of board engagement (47%) rate themselves as “very effective” at identifying cybersecurity risk, compared to just 19% of other organizations. As well, 70% of organizations that include cybersecurity in the audit plan have a cybersecurity risk strategy in place, compared to 42% of other companies.
More than half of the respondents (53%) note that cybersecurity evaluation has been included in their current audit planning. Of those organizations, 60% have used the NIST Cybersecurity Framework to measure and evaluate existing programs.
According to survey participants, the top five most significant cybersecurity risks are:
• Data security (company information);
• Brand/reputational damage;
• Regulatory and compliance violations (tie);
• Data leakage (tie); and
• Viruses and malware
For the study, respondents also evaluated 35 areas of audit process knowledge in terms of improvement. These top priorities include: auditing IT security; computer-assisted audit tools, data analysis tools for data manipulation, marketing internal audit internally and monitoring fraud.
“As in previous years, the results show that internal auditors are intent on improving the way they leverage technology to analyze data and create new efficiencies to free up resources,” the release said. “Results also indicate an increased desire to adhere to new guidance and standards in order to advance existing IT audit plans, and more effectively communicate the importance of these audit practices to key stakeholders.”