Navigating A Changing Landscape – Internal Auditing

As technology and the threats that come with it change, internal auditing must change with it.

Audit teams must approach cyber risk and the challenges that come with implementing emerging technology.

It is the responsibility of the internal audit function to help ensure an organization’s governance, risk and compliance (GRC) activities and information technology (IT) systems support the business and accomplish its goals.

Although there are many challenges when it comes to the auditing of the cybersecurity controls of the modern enterprise, the role internal audit plays is as important as ever.

Cyber risk has evolved to the point where it now poses a tangible threat to the very existence and success of an organization.

The pervasive nature of cyber risk means that everyone, from the board down to the IT personnel, is accountable for the security of the organization’s information assets.

The heightened awareness of cyber risk has led to heightened expectations regarding the roles it plays in the enterprise.

Of all the IT-related risks facing organizations today, cybersecurity is the one that has the highest impact.

Over the past few years, there have been significant changes made to the way internal audit service operates within the enterprise.

The role auditing plays concerning the cybersecurity function is one of the most significant changes.

These changes are coming about because the risk profile of the enterprise has dramatically changed over the past several years.

Technology enables the business to operate more efficiently but also creates the potential for the enterprise to be compromised.

These changes are also being driven by the fact that the IT function has evolved.

Technology itself is no longer the purview of the CIO’s office, but instead should be seen as a business risk requiring oversight from all facets of the organization.

According to the annual ISACA State of Cybersecurity Survey, the number one concern for organizations today is the failure to detect cyberattacks.

That failure to detect attacks results in the loss of sensitive data and the execution of malicious activities.

That could lead the enterprise toward a crisis and the potential demise of the organization.

Technology has become such an integral part of the organization’s ability to operate the business.

The failure to adequately secure the technology could result in the enterprise losing the confidence of its customers, value chain partners, shareholders, and regulators.

One of the biggest challenges of today’s internal auditing team is attempting to address current technological risks.

They must filter out the emerging risks and create and execute timely audits.

Focusing on pre-emptive analyses should always be on your internal audit team’s mind.

How can you better leverage technology, analytics, and AI to focus beyond qualitative risk analysis?

The goal should be to find something that can better predict, detect, and prevent future risks.

One strategy is to crowdsource risk across the enterprise to inform and reduce the costs associated with risk management for your institution.

Internal audit plays an important role in the governance, risk and compliance (GRC) triad when it comes to the cybersecurity function for several reasons:

  1. The Board of Directors and the Audit Committee expect the internal audit function to play a role in the enterprise’s cybersecurity program
  2. The C-suite executives require the internal audit function to provide insights regarding the effectiveness of the IT risk management program, and whether stated objectives are being achieved
  3. The IT function itself requires that the internal audit function provide the necessary resources and the objectivity to help with the design, implementation and testing of the controls in place to provide the enterprise with the assurance that the technology environment is within the security parameters stated by the IT department.

How has internal auditing changed?

There should be a shift in focus from testing entities based on a revolving plan to testing entities while focusing on business, process, and strategic risks.

Your institution should shift from looking at historical data to focusing on being more risk detection-based on events that are happening today.

Using data to zero in on important risks and risk factors to drive actions within your institution is a must.

Dealing with Cybersecurity Risk

The internal audit team’s main role in managing cybersecurity risk starts with strong communication channels.

Identifying cyber risk challenges the company faces, internal auditing can help consult, advise, and help build a functional cyber risk management program.

To do this, your internal auditing team must consider cyber risk and information security to create a continuous security assurance design program.

However, executing traditional cyber audits is still critical and recommended.

Outputs from assessments can be used by internal auditing to inform the board and auditing committee on the institution’s current cyber risk situation.

These same outputs of the assessment can be used by the IT department to find or improve talent, add additional funding, and create a remediation plan.

Cyber risk has grown so rapidly and evolved so dynamically that it requires a different approach than most other traditional areas addressed by the internal audit function.

It requires the internal audit function to work closely with the IT department, the cybersecurity professionals within the enterprise, the board of directors and the business process owners to ensure that the program is designed appropriately.

The first step toward making changes to the role the internal audit function plays in ensuring the enterprise remains secure is for the internal audit function to become the subject matter experts regarding the cybersecurity environment.

One of the first steps the internal audit function can take is to work with the IT department to do a gap assessment between the stated objectives and the current state.

The next step is for the internal audit function to determine how it will provide the needed resources, expertise, and objectivity to the IT department.

Most of the cyberthreats the enterprise faces will continue to be the result of the social engineering techniques used by the hackers in a business email compromise attack or a ransomware attack.

It is the job of the internal audit function to ensure that the enterprise has the necessary preventive controls in place to prevent these attacks from occurring.

This is where working closely with the business process owners becomes vital, as the internal audit function understands the business objectives and the areas the enterprise must focus on to reduce the risk of the enterprise.

The final step is for the internal audit function to test the theory that it has worked closely with the IT department to determine the appropriate controls necessary to adequately protect the organization’s sensitive data and technology assets.

The internal audit function needs the stakeholders’ support to make the necessary changes, but the effort will be worth the results.

As the internal audit function becomes the subject matter expert, the executive leadership will have the necessary tools to make the changes needed to reduce the enterprise’s exposure to cyber risk.

Increased confidence in the cybersecurity program will translate into a more profitable enterprise that can focus on the key initiatives that lead to increased shareholder value and greater corporate social responsibility.

Implementing Emerging Technologies into the Audit Process

Your team must build up to using emerging technologies.

No need to change your methods and strategy overnight.

The internal auditing team should come up with use-cases, test them, and then roll out the technology into the processes gradually.

ROI for automation can’t always be measured by the time saved.

The goal is to free up time to do more meaningful tasks within the audit process.

Possible Challenges and Opportunities Due to the Pandemic

The necessary amount of human capital to go after risks in the traditional sense will not be possible.

Your institution should adopt technology to augment how you perform risk assessments, identify risk events and prevent risks.

Technology will be critical to the success of your institution.

Where is the Internal Audit Field headed in the Next 10 Years?

The industry is headed towards a risk-identifying audit function coming to fruition and real-tie assessments.

They will be based on behavioral patterns where risks can be anticipated and correlated to different parts of the business.

This would help mitigate risk events before they occurred to make adjustments to audit plans as risks present themselves in real-time.


Organizations need the right internal cyber risk management programs in place to protect their assets and safeguard the company’s reputation.

Cybersecurity has evolved from a niche IT discipline into an enterprise-wide priority, and the role of the Internal Audit function is changing as well.

To stay ahead of this trend, companies must have strong cybersecurity controls put in place that address both external attackers and rogue employees who may be tempted by financial gain or disgruntled with other aspects of employment.

In addition, organizations should invest heavily not just in software but also in training so workers know how best to defend the company against internal threats.

By making the right investments now, companies can better manage the risks associated with their cyber exposures and use the internal audit function to ensure the proper controls are in place.