Tenth annual survey also explores evolution of internal auditing over the past decade
According to Arriving at Internal Audit’s Tipping Point Amid Business Transformation, the 2016 Internal Audit Capabilities and Needs Survey report released by global consulting firm Protiviti, organisations are more likely than ever to evaluate cybersecurity risk as part of their annual audit plans. Nearly three out of four organisations (73 percent) now include cybersecurity risk in their internal audits, a 20 percent increase year-over-year. While there is a clear need among most internal audit groups to strengthen their ability to address cybersecurity risk, the survey found that these capabilities are much stronger for top-performing organisations, particularly those in which the board of directors has a high level of engagement in information security risks.
“The rapidly evolving sophistication of Cyberattacks is one of the hottest topics of today’s digital age ,” said Mark Peters, managing director, internal audit, Protiviti. “Our survey found that when it comes to assessing cybersecurity measures and the auditing processes, the highest performing organisations have audit committees and boards who actively engage with the internal audit function during the discovery and assessment of these risks. It’s still apparent, however, that further work is essential to build out these internal audit capabilities in order to focus on the right areas. Companies must take stronger action to set these imperatives into place.”
More than 1,300 internal audit professionals, including more than 150 chief audit executives (CAEs), participated in Protiviti’s 10th annual survey to assess the top priorities for internal audit functions in the coming year.
Cybersecurity Risk Capabilities and Best Practices
During the past decade, the importance of cybersecurity in internal audit functions has evolved from a simple IT risk to a serious strategic business risk, an issue that now must be addressed regularly by executive management and the board of directors. In fact, 57 percent of companies surveyed have received inquiries from customers, clients and/or insurance providers about the organisation’s state of cybersecurity.
Protiviti’s survey found that there are two critical success factors when establishing and maintaining an effective cybersecurity plan:
- A high level of engagement by the board of directors in information security risks; and
- Including the evaluation of cybersecurity risk in the current audit plan.
Companies with at least one of these success factors in place have a stronger risk posture to combat cyber threats. For example, 92 percent of organisations with a high level of board engagement in information security risks have a cybersecurity risk strategy in place, compared to 77 percent of other organisations. Similarly, 83 percent of companies that include cybersecurity risk in the annual audit plan have a cybersecurity risk policy, versus 53 percent that do not include cybersecurity risk in their audit plans.
Ten Years of Internal Audit
Over the past ten years, internal audit professionals have assessed their competency in more than thirty areas of audit process knowledge and general technical knowledge in Protiviti’s survey. Areas that continue to surface as top priorities year-over-year include: ISO 27000, data analysis technologies, various areas of auditing IT, technology-enabled auditing and fraud risk management.
As for 2016, technology issues dominated the priority list for internal auditors. The top 10 priorities for internal audit are:
- ISO 2700 (information security)
- Mobile applications
- NIST Cybersecurity Framework
- GTAG 16 – Data Analysis Technologies
- Internet of Things
- Agile Risk and Compliance
- ISO 14000 (environmental management)
- Data Analysis Tools – Statistical Analysis
- Country-Specific ERM Framework
- Big Data/Business Intelligence
“With most of the top priorities identified relating to IT risks, it’s clear that auditing IT remains important to internal audit functions and to the state of an organisation’s overall risk profile,” added Peters. Companies are trying to ensure business-as-usual systems are secure and effective as well as working to drive change through the introduction of new technologies, greater digitisation and mobilisation of internal and customer-facing systems. These factors, coupled with the increasing cyberthreats are driving internal audit to increase its IT audit capabilities each year and raising technology issues up the priority list for internal audit. It is essential for internal audit functions to act now in order keep pace with this change’’