Many directors have questions about their organization’s cyber security posture and the effectiveness of the groups (including internal auditors) that are responsible for providing assurance on risk management and control. In this posting, I discuss some causes of blind spots and suggest actions.
I recently spoke at a technology symposium attended by IT audit directors from many of the largest companies in the U.S. The purpose of my talk was twofold: share insights from conversations with corporate directors regarding their role in strategic risk oversight, and help audit executives understand the pressures that boards face so that internal audits can better align with shareholder needs.
During the exchange, I conducted anonymous polling to understand why significant gaps can exist between board director expectations and what internal audit teams are actually able to deliver. Below, I describe some highlights from the session and encourage directors to probe more deeply about their organization’s defenses during cyber security updates and other presentations. Directors should also request action plans from management that will close any significant gaps.
How well are internal audit teams addressing strategic IT risk?
According to a recent study, two out of three board members believe internal audit should have a more active role in evaluating an organization’s strategic risks. This implies that management has defined, and internal auditors have obtained and assessed, the organization’s strategic plans including the specific business and IT-related initiatives that will advance its goals.
In this regard, polling of participants at the symposium showed that only 76% agreed that their organization had an IT strategy, while the remainder (24%) felt there was “somewhat” of a strategy in place. Where a definitive strategy does not exist, auditors may struggle to provide the board with needed assurance around related control and risk management practices.
Internal auditors are effective when they assess the management of the organization’s most important risks, particularly those impacting company objectives and strategy. When asked at the symposium whether their audit teams assessed the management of some or most of the strategic risks in their organization,
- 65% agreed they perform these strategic audits, while
- 35% acknowledged being aware of company strategy and objectives, but said they did not assess how well the related risks were being managed.
When asked about barriers in the organization preventing them from auditing strategic risks,
- 43% indicated that there were no barriers in their organization, however
- 21% indicated that management was resistant to them being involved in strategic risk areas, and
- 14% indicated the board was not interested in having the risks assessed, and
- 14% lacked awareness of the strategic direction, while 7% responded, “don’t know/not applicable”.
Clearly, these areas need discussion and perhaps greater attention by the board and the Chief Audit Executive (CAE) to reduce or close any expectation gaps.
Are you able to withstand a cyber-security attack today?
With all the attention given to cyber security in recent years, you might expect that a large percentage of major organizations in America rate themselves as well protected.
However, when asked whether they felt their company could currently defend itself successfully against a sophisticated cyber-security attack,
- 33% of poll respondents at the symposium indicated they could successfully do so,
- 48% felt their company’s defenses were not sufficient, and
- 19% were unsure.
These polling results showing that two-thirds of the executives lack confidence in their defenses do not surprise me. Large, complex organizations are naturally more vulnerable to security events because of the broad “attack surface” created when deploying technology and application systems across dealers, suppliers, venture partners and others. However, in those cases I expect that the board and internal auditors would have significant dialogue around the effectiveness or ineffectiveness of company defenses and discuss the timing of steps agreed by management to remediate the deficiencies. Transparency with the board is critical.
Where does the Board want assurance on controls?
When building the internal audit plan, it is important that the audit team have an understanding of areas where the board would like to receive assurance from the audit work.
In the polling, 73% of participants said that they had a good understanding of the areas where their board wanted assurance and actually had performed audits in those areas. However, 26% said they either had not asked their board for their input on coverage, or were aware of board “hot buttons” but did not perform audits in those areas. Expectation gaps can arise around internal audit performance when they have not gathered requirements from their most important “customers”.
While 69% of participants felt the board should hold the CAE accountable for internal audit’s failure to deliver what the board wants, 25% felt that the audit committee itself was responsible for any such failure; after all, the audit committee typically retains, oversees, and evaluates the performance of the CAE.
Tips for Better Alignment around Technology Risk Management
Now that we have a better understanding of the sources of potential blind spots, directors can use the following lines of inquiry in board meetings to get issues on the table for resolution.
#1 – Inquire whether the internal auditors understand and are assessing your organization’s technology strategy. Some organizations hold their strategic plans “close to the vest” and may not be sharing them with the CAE. However, the audit team cannot hit a target that they cannot see. Where the target or strategy is non-existent, the board should understand the reasons.
#2 – Ask for assurance that the auditors prioritize and focus on the most critical cyber risks. Directors should understand whether management has performed a thorough risk assessment. Where gaps in defenses are noted, management should be taking steps to reduce the potential impact of a breach. Internal audit should be providing value-added recommendations where needed. For example, performing an internal audit assessment of the company’s “crown jewels”, which are the most valuable or important digital assets, will help to bring attention to areas needing heightened levels of protection. You cannot protect everything, so be sure to put your resources where needed most.
# 3 – Ensure that management is not restricting the auditors from doing their job. To be effective, the CAE and internal audit team needs the visible support of the board to enhance their ability to be independent and objective in their work. The CAE should discuss with the audit committee any differences of opinion with management regarding the audit plan to reduce the likelihood of undue influence on coverage of important risk areas.
Directors, management and internal auditors have shared objectives when it comes to protecting the organization from downside risk. Likewise, aligning the three groups in pursuit of strategic goals and objectives will help the organization take advantage of opportunities to pursue growth and long-term value creation.
 “Six Audit Committee Imperatives: Enabling Internal Audit to Make a Difference”, by Jim DeLoach and Charlotta Lofstrand Hjelm, a Global Internal Audit Common Body of Knowledge (CBOK) study report, conducted by The IIA and Protiviti, 2016.