Internal auditors and other audit professionals place concerns about data security among their top priorities, according to Protiviti’s 2015 Internal Audit Capabilities and Needs Survey.
With organizations becoming increasingly vulnerable to cyberattacks, the annual Protiviti survey added a section explicitly to consider the chief audit executives’ and internal auditors’ roles and responsibilities relating to cybersecurity. More than 800 audit professionals participated in the 2015 study.
The survey revealed three key points:
In rating the level of cybersecurity risk to their organizations, the audit professionals placed company data security at the top. On a scale of 1-10, with 10 representing the greatest risk, data security was rated at 7.9, with damage to brand or reputation following closely at 7.7.
Both regulatory and compliance violations and data leakage (personal employee information) rated 7.5. Viruses and malware came in at 7.3 and interrupted business continuity at 7.2.
Financial loss ranked seventh at 6.8, and loss of intellectual property eighth at 6.6. Loss of employee productivity (6.4) and employee defamation (5.8) rounded out the perceived top 10 cybersecurity threats.
According to 40 percent of those surveyed, identifying risk and control problems earlier is the most valuable means of addressing cybersecurity risk. They viewed complying with regulations (16 percent) and monitoring reputation risk (15 percent) as much less valuable.
Other means of countering cybersecurity risk mentioned were the overall business strategy (11 percent), validation of control effectiveness or failure (10 percent), improved operational performance (5 percent), and cost recovery or improvement (3 percent).
A cybersecurity risk strategy/policy has been instituted at more than 50 percent of the organizations involved in the survey. And most of the organizations at least have a method of assessing cybersecurity risk.
The survey found levels of involvement in cybersecurity risk assessment, ranging from significant to none, by different individuals and groups within the organizations. The following percentages of organizations had certain individuals and groups who were significantly involved in assessing their cybersecurity risk:
The following percentages of organizations experienced moderate involvement by specific individuals and groups:
Considering the negative impact of a cyberattack, it may be somewhat surprising that 28 percent of organizations had audit committees that were only minimally involved in cybersecurity risk assessment and 12 percent had audit committees with no involvement. Also, the legal departments at 19 percent of organizations had minimal cybersecurity involvement, and they were not at all involved at 16 percent of organizations.
These involvement percentages were strongly influenced by how engaged an organization’s board was in cybersecurity issues and by whether cybersecurity was part of an organization’s audit plan.
Here briefly are some of Protiviti’s recommendations to internal auditors and chief audit executives for improving their organizations’ cybersecurity: