Internal auditors increasingly need to check their companies’ defenses against cyberattacks from hackers and identity thieves.
A new report from the Institute of Internal Auditors, released this week at the IIA’s global conference in New York, explains the growing role of the internal audit profession in cybersecurity.
“What we continue to find is that cybersecurity is recognized almost universally as one of the most significant risks that organizations face,” said IIA president and CEO Richard Chambers during an interview Tuesday at the conference. “It’s one that internal auditors have increasingly begun to recognize they have to help address. But what we also find is that in a lot of instances the focus can’t just be on trying to prevent a cyberattack because cyberattacks are virtually inevitable. Anyone who tells their board or their customers that they are immune from a cybersecurity attack is just not being truthful.”
Internal audit functions need to recognize the risk that cyberattacks present and dedicate part of their energy toward helping test the vulnerabilities, while also recognizing that a cyberattack is virtually inevitable at some point, he noted. Internal auditors need to ask if their organization has a continuity plan in place, along with plans to alert customers and to recover in the wake of a cyberattack.
“Those are the internal audit departments who have weathered cybersecurity attacks probably the best because they have set and managed expectations and they have helped their companies get ready for the inevitable,” said Chambers. “If you do nothing or if you simply focus on trying to help prevent it, you’re likely not going to provide the kind of support that your organization needs because it also needs to have someone looking at how ready it is to deal with the inevitable.”
This week’s conference marks the IIA’s 75th anniversary and a return to the organization’s roots (see Institute of Internal Auditors Kicks Off Conference).
“When you think about it, the IIA was founded here in New York City in 1941,” said Chambers. “We moved away in 1972 to Florida, and we’ve tried to bring our international conference back here for really significant milestones, so we came back for our 50th anniversary. We came back here in the year 2000 to kick off the new millennium, and we are back now for our 75th anniversary. We bring the conference back to New York when there is truly a significant milestone to celebrate. Coming back here this year means a lot and has served as a real magnet to attract our leaders and internal audit professionals from around the world. We have representatives here from 120 countries, and it’s going great. We’ve got probably 2,600 people here onsite, and they seem to be getting a lot out of the program.”
“We do see typically that the more developed a region is, the more that it’s going to be dependent on key functions like technology, the more those risks are going to present themselves, and the more important they become to internal audit,” said Chambers. “The findings in the report didn’t surprise me that much, but we sometimes do see some things that surprise us. For example, the instance of chief audit executives still reporting to the CFO tends to be higher in North America than almost any other region, particularly higher than in Europe. In the European region and others, there seems to be a greater recognition of the risk that having internal audit report to the CFO presents to perception of objectivity and the risk it presents to the company if internal audit somehow is not as vigilant in looking at the CFO’s area of financial operations because they maybe are working for the CFO. That’s one of the areas where I would say from my perspective as I look at the practices around the world where I think the profession in North America may be lagging behind some other regions in terms of recognizing a leading practice.”