Internal audit practitioners are facing new demands for improving cybersecurity and communicating the risks of cyberattacks to their organizations, according to a new report.
The Institute of Internal Auditors’ Audit Executive Center surveyed chief audit executives about internal audit’s efforts to communicate cybersecurity risks to the board and executive management. It found that 40 percent said the audit department provides significant or extremely significant effort, according to the 2016 North American Pulse of Internal Audit. Yet when asked what level of effort internal audit departments should have, 69 percent of respondents said the effort should be significant or extremely significant, a 29 percent gap.
Similarly, the gap was 22 percent for ensuring communication and coordination among all parties regarding cybersecurity risk, and the gap was 25 percent for working collaboratively with IT and other departments to build effective defenses and responses.
The widest gap involves providing assurance over readiness and response to cyberthreats, which ballooned to 37 percent.
Despite growing acceptance that cyberattacks are all but inevitable, the vast majority of organizations polled (89 percent) continue to see prevention and education as the best way to address the threat, with limited focus on what to do once an attack is detected or how to protect the organization’s reputation from the fallout.
Only 3 percent of the survey respondents listed reaction and restoration as the most effective methods of addressing cyberattacks.
“In the face of a cyberattack, addressing business continuity and reputational risk are paramount, yet few organizations are taking time to think beyond prevention,” said IIA president and CEO Richard F. Chambers in a statement. “The IIA has been promoting cyber resiliency—the concept of addressing the full spectrum of prevention, detection, reaction, and restoration—for some time, so these findings are particularly alarming.”
The survey findings match a recent EisnerAmper survey of board members, which found fewer than four out of 10 organizations have a plan in place to deal with reputational crisis. That report warned, “Public companies should be aware of the connection between a cybersecurity breach, an organization’s reputation and the ever-expanding role of social media.”
Separately, the IIA released a report Wednesday on auditing culture. The report, Auditing Culture—A Hard Look at the Soft Stuff, makes the case that internal audit can enhance its value to an organization by auditing culture and provides a comprehensive look how it can be accomplished.
The report includes a list of considerations for heads of internal audit who are contemplating auditing culture, from seeking out tools available to gauge organizational culture, to training and compliance concerns.
It also lists six important steps in preparation for auditing culture including leveraging available resources; reviewing employee engagement surveys or similar tools; and securing support of the board, audit committee, and executive management.
“Given the overwhelming importance of culture to organizational success, a company’s failure to audit it on a consistent, continuous basis sends a clear—and likely unwelcome—message to stakeholders about its values and priorities,” the report concludes.
The report is part of the IIA’s Global Perspectives and Insights series, which looks at key issues and challenges facing the profession and offers insights and direction on how best to address them. It is available in eight languages, including English, Chinese, Spanish, and Arabic, to members through the IIA’s national institutes in 105 countries and territories around the world as well as through its global website.