Cybersecurity has topped the list of critical risk for organizations for the fifth time in both the European Confederation of Institutes of Internal Auditing’s (ECIIA’s) 2022 Risk in Focus report and the Institute of Internal Auditor’s (IIA’s) OnRisk 2022 report. The COVID-19 pandemic and the crisis in Ukraine have only aggravated it. In addition, the IIA’s OnRisk 2022 report notes that internal auditors have the most significant gap in their competencies related to cybersecurity risk assurance. Therefore, it is crucial for organizations to understand how best to assess their own audit effectiveness and how to improve it.
We conducted an international survey about the effectiveness of auditors in the cybersecurity area and developed an instrument to measure it. The instrument can help organizations understand how effective their cybersecurity audit practices are, including planning, performing the engagement and reporting. Scores can then be used to compare to an international sample.
Once a score has been determined, auditors can use that score to dictate next steps for the organization to improve its cybersecurity audit processes and, thus, increase its score. There are several best practices internal auditors can follow to increase their cybersecurity audit effectiveness, including:
- Upskill—One factor that helps significantly increase audit effectiveness is to increase internal auditors’ competencies by encouraging certification, such as ISACA’s Certified Information Systems Auditor (CISA) and Cybersecurity Audit Certificate Cybersecurity audits require specialized knowledge and skills that only upskilling can provide.
- Cosource or outsource, but stay in control—If the cybercompetencies of an internal audit function are not entirely satisfactory, co- and outsourcing can be helpful. In the case of cosourcing, the results of various external audits can be combined to create an overall opinion. It is also important stay on top of reporting because only the internal team can assess how well cybersecurity risk management is integrated in enterprise risk management.
- Engage in all three audit phases—There should be a strong correlation among all three phases of the audit. A lack of good planning has severe implications for the engagement and reporting phases. Understandably, an audit of a large number of controls will be spread out over multiple years. Still, the most pertinent risk factors should be identified and prioritized to provide a comprehensive picture of the effectiveness of cybersecurity risk management in the year of reporting.
- Cooperate with the first and second-line roles—Even though an independent internal audit is important, it should not be isolated from the other two lines, as suggested by the new three-line IIA model. The cooperation among the three lines has positive results on the effectiveness of cybersecurity risk audits. Assurance mapping to delineate the duties of each line contributes to a more efficient use of limited internal audit and IT department resources.
Editor’s note: For further insights on this topic, read the authors’ recent Journal article, “How Effective Is Your Cybersecurity Audit?” ISACA Journal, volume 3, 2022.
ISACA Journal turns 50 this year! Celebrate with us—and do not forget you can still receive the print copy by visiting your preference center and opting in!