Nearly three out of four organizations now include cybersecurity risks in their internal audits, a big jump from last year, according to a new survey.

The annual survey, by the consulting firm Protiviti, found that 73 percent of the organizations it polled now include cybersecurity risk in their internal audits, a 20 percent increase year-over-year.  More than half (57 percent) of the companies surveyed said they have received inquiries from customers, clients and/or insurance providers about the organization’s state of cybersecurity.

“Cyberattack threats are significant and continuously evolving in sophistication,” said Brian Christensen, executive vice president of global internal audit at Protiviti, in a statement. “Our survey found that when it comes to cybersecurity and auditing processes, the highest performing organizations have audit committees and boards who actively engage with the internal audit function during the discovery and assessment of these risks. It’s still apparent, however, that further work is essential to build out these internal audit capabilities. Companies must take stronger action to set these imperatives into place.”

More than 1,300 internal audit professionals, including more than 150 chief audit executives, participated in Protiviti's 10th annual survey to assess the top priorities for internal audit functions in the coming year.
The latest survey found there are two critical factors when establishing and maintaining an effective cybersecurity plan: a high level of engagement by the board of directors in information security risks; and including the evaluation of cybersecurity risk in the current audit plan.

Companies with at least one of these factors in place have a stronger risk posture to combat cyber threats. For example, 92 percent of organizations with a high level of board engagement in information security risks have a cybersecurity risk strategy in place, compared to 77 percent of other organizations. Similarly, 83 percent of companies that include cybersecurity risk in the annual audit plan have a cybersecurity risk policy, versus 53 percent that do not include cybersecurity risk in their audit plans.

To access the survey, visit www.protiviti.com/IAsurvey.