Internal audit can be the eyes and ears for IT risks

 

Our senses of sight and hearing are multi-faceted, resilient and always working — that’s how critical an internal audit team can be for the ongoing health of an organization.

 

Chris Saracco

“One of the benefits of internal audit departments is that they tend to be the eyes and ears of organizations.”

Chris Saracco

Grant Thornton IT Risk Advisory Managing Director

Internal audit (IA) has regular interactions across business units and departments, so “one of the benefits of internal audit departments is that they tend to be the eyes and ears of organizations,” said Chris Saracco, Grant Thornton IT Risk Advisory Managing Director. That’s why IA needs to be acutely attuned to information technology (IT) and cybersecurity threats. IA must be able to conduct cyber risk assessments and evaluations of the organization’s data governance, cloud infrastructure and ability to confront ransomware attacks.

 

The organization’s awareness and preparation must be driven by a sound IT IA plan, with the ability to execute that plan, measure its effectiveness and report its findings.

 

 

 

 

Build the right skills

 

To build, execute, measure and report on an IT IA plan, your organization must have the right skills and capacity. You need specialists who can bridge the gap between technology and effective auditing.

 

In a recent Grant Thornton webinar, respondents indicated that staff shortages often limit their ability to conduct specialized IT internal audits over areas past standard IT general controls.

 

 

An audit can encounter solutions that involve artificial intelligence, virtual reality, digital twin models and other technologies that touch the organization’s data, have access to the cloud and are vulnerable to bad actors.

 

Scott Peyton

“We're finding that organizations are trying to hire people who are more technically savvy, but they may not have a background in audit .”

Scott Peyton

Grant Thornton IA IT and Cybersecurity Practice Leader

At the same time, IA must do more than build its technology skills — it needs people who understand how to apply those technology skills to an internal audit. “We're finding that organizations are trying to hire people who are more technically savvy, but they may not have a background in audit,” said Grant Thornton IA IT and Cybersecurity Practice Leader Scott Peyton.

 

The webinar survey respondents indicated that the difficulty of recruiting and retaining people with the right skills is one of their biggest challenges for IT audits. Insufficient technology skills within an internal audit department, combined with inefficient or dated methods or approaches, can make it difficult for organizations to confront and adapt to the changing landscape of cybersecurity threats.

 

 

To help overcome these evolving challenges, organizations need to approach them with the right planning, training and support. With the right approach, audits can make a clear impact on cybersecurity.

 

 

 

 

Take 5 steps for impact

 

Five important steps can help an organization successfully implement IT IA with a measurable impact: 

  1. Take a comprehensive approach and leverage standards/frameworks
  2. Leverage IT audits and identify interdependence to ensure coverage
  3. Complement IA with technical and subject matter expertise
  4. Train staff to ensure they follow audit standards
  5. Provide advisory support in pre-audits, with advisory or consulting reviews

These steps reflect an ongoing interaction between IA and the entire organization, sharing expertise and resources that benefit everyone involved.

 

Vikrant Rai

“The plan should maintain a balance of business operations, IT and cybersecurity interdependence that provides maximum value for stakeholders and executive leadership.”

Vikrant Rai

Grant Thornton Internal Audit Cybersecurity Practice Managing Director

The goal is to establish a multi-year cybersecurity audit plan that aligns with your cybersecurity program and strategy, network and perimeter defense, data governance, data privacy, cloud governance and other specialized audits. This type of comprehensive and mature plan can succeed through a balanced approach. “The plan should maintain a balance of business operations, IT and cybersecurity interdependence that provides maximum value for stakeholders and executive leadership,” said Grant Thornton IA Cybersecurity Practice Managing Director Vikrant Rai.

 

To help maintain that value over time, organizations need to ensure comprehensive governance and control as the plan is executed.

 

 

 

Ensure governance to maintain impact

 

Matt Cassidy

“An internal audit can play an incredibly important role within data governance, making sure that data governance is being enforced and is operating critically.”

Matt Cassidy

Grant Thornton Advisory Services Managing Director

Organizations must establish effective governance to protect their data over time. “An internal audit can play an incredibly important role within data governance, making sure that data governance is being enforced and is operating critically,” said Grant Thornton Advisory Services Managing Director Matt Cassidy.

 

A complete data governance plan collects, organizes and protects the organization’s information. Ultimately, it can help the organization use information in effective ways to strengthen and profit the business. The plan must follow applicable regulations, have clear ownership guidelines and avoid redundancy and corruption.

 

Data and cloud governance must be understood in the context of your organization’s needs and environment. The IT IA can help your organization assess its cloud strategy, understand its cloud architecture, identify areas of improvement and build collaboration with cloud service providers. It’s essential to establish a strong relationship with cloud platform providers, including clear, concise and transparent communication. Both sides need to understand their roles, who has ownership of the data and who is responsible if there is any type of data breach or corruption. 

 

 

 

Ensure comprehensive coverage

 

It can be challenging to consider all of the domains and capabilities that your IT IA needs to assess. Many of the survey respondents indicated that they are unsure if their audits cover all of the necessary domains and capabilities — and some of the respondents are sure they don’t.

 

 

For the IA department to be the eyes and ears of the organization, it needs a comprehensive IA plan to confront technology challenges, with the ability to execute the plan with clear metrics to monitor and report effectiveness.

 

Plan, execute, measure and report — the eyes and ears of an organization must never stop working.

 

 

 
 

Contacts:

 
 
 
 

Our cybersecurity and privacy insights