The role of internal audit in cybersecurity

Cybersecurity is certainly top of mind for today’s organizations. From ransomware and cloud security to regulations like the General Data Protection Regulation (GDPR), companies know that cybersecurity is a rapidly growing concern for enterprise risk management. What then is the role of internal audit in the future of cybersecurity?

Episode 5 of our podcast, “Material Observations: Insights on Internal Audit,” is all about cybersecurity, diving into this critical topic and discussing internal audit’s role going forward. Host Katie Landy, RSM risk consulting principal, jumps right in with guests and cybersecurity professionals, Autumn Hurley, RSM security and privacy risk consulting principal, and Joe Strain, RSM security and privacy risk consulting director, to analyze and answer pressing questions.

To make matters worse, a tight labor market has made it more challenging for organizations to find qualified talent to manage their security in-house. And if they lack the right staff, they are even more exposed to cyber threats.

Listen to episode 5 to hear more about internal audit and its role in cybersecurity in the future.

Edited transcript

Kaite Landy: Hello and welcome to episode five of RSM's Material Observations, Insights on Internal Audit, where we explore what's happening in internal audit today. I'm your host, Katie Landy, Risk Consulting Principal at RSM. Today I'm joined by Autumn Hurley, Security and Privacy Risk Consulting Principal at RSM, and Joe Strain, Security and Privacy Risk Consulting Director at RSM. We're going to talk a little bit about the role the internal audit plays as it relates to cybersecurity. Let's get started. Hello, Autumn. Hello, Joe. Thanks for joining us. I am excited to jump into this very evolving topic of cybersecurity.

Autumn Hurley: Hi, Katie. Thanks for having us.

Joe Strain: Thanks for having us.

KL: All right. Let's dive to the first question here. Thinking about the role of internal audit and how they've engaged on the topic of cybersecurity, how has this evolved, and really how are we expecting this to continue to evolve over time? It would be interesting to also understand how internal audit functions are navigating this within their team or also understanding are they looking at third parties to help them with this specific topic?

JS: That is a great question, Katie. So the evolution we're seeing is much more of a focus on consultative audits. In the past, we would do a test of design and a test of effectiveness. So we would pull the controls out of their policies and procedures to see if they're operating as designed, that they're operating effectively. Now we're seeing internal audit really get out of that and much more from a consultative approach. So taking leading practices based on frameworks like the Center for Internet Security or NIST and really helping through audit drive best practice or leading practice and more of strategy on the backend and much, much less focus on just test of effectiveness.

Some of the areas we see recent requests for are items like a in-depth Active Directory review where we would align that with the Center for Internet Security framework. We're looking at all of their organizational units, their security groups, their group policy objects to see if they are as prepared as they can be for today's cybersecurity threat in their Active Directory environment. Another very good example of this is a ransomware preparedness review. So looking at the resiliency of their backups, looking at what their users can do on the endpoint, if they can get to command prompt, if they can get to PowerShell. How would ransomware move throughout their environment? They're the kind of audits we're seeing recently requested and really that evolution from the past.

AH: And not only that but from a talent standpoint, it's really difficult to find that expertise in-house. Internal audit departments are leveraging more automation than we've seen in the past. Not only that, but yeah, working really closely to partner with those trusted advisors that can bring those differing skill sets and all those areas that Joe mentioned and more, those that have deep expertise in different applications and technologies and tooling.

KL: Well, and I think about cybersecurity. I mean, that is such a broad term. There's so much that's inclusive of the topic itself. So it would be great to understand how can internal audit functions look to identify what types of cyber audits that should be done, and when they do identify that, what's their course of action there?

AH: Yeah, no, that's a great point. So really the best way to approach identifying which audits do we want to focus on, how do we build out that audit plan is really making sure that internal audit's part of that broader enterprise risk management program and strategy. How are we assessing risks from a business standpoint? Where do we consider our data to be critical so that we are all focusing with the same goals and strategy in mind when we do develop that internal audit plan? Partnering with other business units, like IT, various application owners, partnering with the CISO, understanding their goals and from their perspective what they're seeing as risks to the organization that can also be incorporated into that internal audit plan.

Again, having a trusted partner. Understanding data and what are those different trends and things that are happening in the industry as it relates to, there's a lot of regulations that are coming out around data privacy and protection. Are we incorporating that into our audit plans as well? Just really ensuring that you have that trusted partnership with other leaders in the organization is really what's going to help with that continuous improvement and making sure that you're assessing the right audits. Joe, I don't know if you had anything you want to add onto that?

JS: The only thing additional is to make sure we're properly embedded in the enterprise risk management program because what I've seen from my experience when they're doing the ERM updates, cybersecurity is a single auditable entity. And to Katie's earlier point, cybersecurity is very broad, very complex, and it's not something you can throw into one audit bucket. So it's really just us having a place at that table to influence the auditable entities to make cybersecurity a bigger part of the enterprise risk management process. Therefore, you could focus audits a little better in the future. But it's really having a seat at the table, to exactly your point, Autumn, with the CISO, with the CIO, hearing their pain points, hearing their struggles and really being able to add value through assisting them.

KL: It's clear, cybersecurity is something that requires continuous monitoring. So oftentimes when I'm engaging with clients, this isn't just a one-time audit, this is something that we're looking to incorporate throughout the audit lifecycle in a particular audit year, but also on an ongoing basis. And to each of your points, it needs to be really a risk that rises to the level across the enterprise.

All right. I know obviously this is a topic near and dear to each of your hearts, but obviously this is something that is on every audit committee's agenda, every board's agenda. We'd love to understand from each of you, how do we get the audit committee and boards more involved? Specifically how internal audit can help support the broader cybersecurity initiatives?

JS: Absolutely. That's a great question, and really one of the best ways I like to do that is to offer a annual cybersecurity training to the audit committee and the board to go through new threats, new attack techniques. What are we seeing at their peers? What are we seeing within their industry that they should really focus on? During that training, one of the areas we really like to stress is the board and the audit committee's responsibility as it pertains to cybersecurity. If it is determined after a data breach there was negligence in that area or the board was not paying enough attention to that topic, they under certain regulations can be held personally responsible. So it's really this, just them understanding the importance of their role and really the influence they could and should have, and really communicating that during an annual cybersecurity training. So that would be the best way that I would really communicate that to the audit committee.

Also, what Autumn and I often do is we're presenting quite often to the audit committee through presenting our reports, presenting quarterly updates on the entire process. We tend to have a relatively good amount of face time with the audit committee. So with that, really influence and again, the urgency and the importance and really making it clear and ensuring they understand the open audit issues from the past, the status of those past issues. So they're really mitigating and reducing risk through internal audit and really not letting the risk kind of hang out there.

AH: Yeah, exactly. And by making that a regular ongoing conversation, it changes the culture, it changes the perspective. You get more education in front of the board and others. Not only that, but having the CISO or CIO presenting to the board and audit committee on what are those differing risks that we're seeing at our organization specifically, what types of key performance indicators are we tracking too from a security organization that are relevant that the board and audit committee should be made aware of? What types of security events are they seeing? How are we responding to those incidents? What are the results of our annual awareness training and training campaigns that we're testing our users on? There's a lot of different things there from a performance standpoint, but really having that ongoing dialogue and making it a part of the ongoing process is really what's going to help create that awareness and culture change.

JS: And Autumn, you just made me think of one other really good point to stress here, and it's making sure there is somebody with an IT or cybersecurity background on the audit committee or the board that can really challenge the process, challenge the program, and add some insight of what they're seeing from their own profession or their own past career. Without somebody on the board of the audit committee with an IT background, a lot of it tends to go over their head and they really don't want to sound ignorant to the process or dumb when they ask a question, so they really don't bring forward their concern. So it's certainly important for them to appoint somebody with that background to the audit committee or the board.

AH: Absolutely.

KL: Great point, guys. It's very clear that the need is to make sure that that audit committee, those boards are educated and where we can is having that expertise sitting amongst them. When we think about the increasing sophistication of cyber threats and the growing importance of data privacy, there's a lot to keep up with in terms of the information, the understanding, the guidance. What would you guys suggest to internal audit teams on how to best stay abreast of this information, the trends, the regulations, the best practices? Any thoughts that you can share?

AH: Yeah, there's a lot of different resources, ISACA. There's a number of organizations where they will send you weekly, monthly, depending on your preference, different cybersecurity attacks. What are some of those zero-day vulnerabilities that are coming out? What are some high risk bulletins and things and trainings that you can attend? So I think putting together just an annual security awareness training and education program specific to the internal auditor's role is really a key part of planning that too. A lot of people follow Twitter, podcasts, like we're doing today, but lots of resources out there. Joe, what do you have to add there?

JS: I often offer a lunch and learn or a similar format to that where if the organization has a particular concern, we can spend some focused time on that. Like data privacy is a very good example, very volatile, moving very quickly. Every month or so, there's a few more States that are signing these data privacy regulations into law or they're in evaluation from a cross chamber perspective. So really, the other avenue or format I've used there is really a lunch and learn just to communicate a specific topic.

KL: This is obviously an internal audit podcast. So we're talking about cybersecurity through the lens of the third line of defense. I know, Joe, you and I have had a number of conversations on how do we move beyond the third line to make sure that this is embedded throughout the organization. Do you guys have any client examples or stories that you'd want to share on how you've seen something that started through internal audit kind of expand beyond that third line of defense?

JS: Well, it might sound cliché, but it really is going back to being that trusted partner. A lot of times they first, they reach out to us for a very specific need. They have a technology they don't understand. They have a very specific concern. But through us bringing in subject matter expertise and really showing them that we bring in the power of the firm or that we really understand internal audit, that tends to expand us into being added to the table during the enterprise risk management updates, the annual internal audit, risk assessment updates. So it really is just showing that this is a value add. In the past, internal audit tended to get put in a bucket where we're the police, we're the cops, we're here kind of in a got you mentality, and now we really need to show we're value add, and we're helping them with the leverage for additional budget for tolling they might need, staffing needs, really pointing out more of the day-to-day needs of the organization.

AH: Yeah, those are really great examples. One thing that I love to see too is when we come to a new organization and you can see how their internal audit function as it relates to cybersecurity and that partnership with the CISO and IT has grown over that time so that they do have that collaboration because of some of those activities. Being in front of them, sharing data, meeting with the audit committee, being part of that overall internal audit planning, and taking into consideration the business needs, the business risks, and what's going on from a regulatory and trend standpoint.

JS: And Autumn, just to add to that, it's coming to the table with insight to the organization. So when we're talking to the CIO, the CISO, they don't want our findings to be communicated in a vacuum. To really add value through internal audit, we need to understand the change in the organization, the movement of the organization, what is the true risk, and not just assign a generic risk for whatever area that is under review. So it's really collaboration throughout the process, in planning, in fieldwork, all the way through reporting. Are we understanding the organization? Are we aligned with the true risk and the true need of what we're trying to facilitate here?

KL: As practitioners, I'm sure you guys have had a number of opportunities to work with a variety of clients. I think one of my favorite things about the job is when we can share our successes and the types of value that we've added. If you guys have any examples or favorite stories to share, feel free to do so.

JS: Katie, one of the items I'm most proud of is we had an internal audit client where we were in a co-sourced arrangement. They were doing over 10 audits a year with a pretty considerable team. They had five or six individuals completely dedicated to internal audit. And we were really in a co-sourced arrangement, just adding subject matter expertise where needed. But as we kind of nurtured that relationship and strengthened that relationship, the internal audit director actually reached out to me for a review of their own internal audit process. So we did an internal audit around how they execute internal audit. So the risk assessment process, how they document work papers, how do they sample, how do they identify risk within the organization. We went through reporting templates. We went through how do they survey the C-suite and executives to get their feedback in internal audit. So that was extremely rewarding to me to understand that the client valued my input enough to make them be the auditee, for us to actually audit their process. So that was certainly memorable and rewarding to me, Katie.

KL: Autumn, anything you'd like to share?

AH: Yeah, those are definitely proud moments when you have a client. I just had one also recently where wrapping up audit committee presentation, we have been doing a number of audits for a couple years. We've built out trend analysis and data for them and shared some benchmarking data. And really just hearing the feedback and seeing the internal audit leader be complimented by the audit committee members and being reached out directly afterwards saying, "You know what? You've really helped us evolve our maturity. We're doing some things here that we were not doing a few years ago. We have more visibility now. We have a better understanding, and we're starting to talk about cybersecurity more frequently now because of this." I mean, those are definitely proud moments and big reason why I love doing what I do.

KL: Thank you to RSM's Autumn Hurley and Joe Strain for their insights. And thank you to our listeners for joining us today.