Internal Audit and its Larger Role In Enhancing Cybersecurity

Author

 Mr. Tarun Kher, Associate Partner at MGC & KNAV Global Risk Advisory, is an expert in the areas of internal audits, risk management & process re-engineering.

Cybersecurity is extremely important for organizations as highly confidential and entity specific sensitive information rests on secured gateways, data farms and servers which are vulnerable to data security attacks and threats. A cyberattack can be extremely fatal for any enterprise, since it denotes susceptible intrusion/ breach of security thereby endangering the security of extremely pivotal information and, through it, the financial position, operational strategy, vision and mission, and more importantly, the trust and reputation that the organization has established since inception.

A survey of more than 1,500 business and technology executives across 12 countries found that nearly three quarters of the surveyed organizations faced at least one security breach or incident in 2015, with about 6 in 10 breaches classified as serious. (Source: CompTIA, a non-profit association for the global IT industry). Incidentally, India is one of the 12 countries across the globe that has cyber security laws.

Many enterprises believe cybersecurity risk is an integral part of the profiling of Chief Information Officer (CIO) which includes identification, management, and mitigation thereof. In accordance with the extremely vulnerable and volatile prevailing information technology environment wherein security breaches construe attacks in a flash including the recent ‘Wannacry Ransomware Attack’, it is extremely important for all three lines of defence to integrate, collaborate and ensure a synergistic approach to cybersecurity risk management.

1. i) First: CIOs and enterprise business segments collaborate in effective review and management of cyber security risks with respect to routine/ recurring decisions and operations.
2. ii) Second: Technology and application systems risk management leaders establish a vigilant review mechanism to monitor security and related breaches/ intrusions thereby ensuring seamless corrective actions.

iii) Third: Independent assessment and expression of opinion on information/ data security initiatives and vigil mechanism which can become a successful campaign by effective involvement of the internal audit function. Internal audit has a diverse responsibility in assessing and identifying opportunities to strengthen organization information security and its timely updation in accordance with the ever evolving/ changing risk definitions. Internal audit also has an extremely important attest obligation to inform the Audit Committee members that the internal financial controls and risk management systems, for which they are responsible for, are in place, adequate commensurate with the nature and size of the organization and are operating effectively, this duty as per Sections 138 and 177 (4) of the Companies Act, 2013 has become a progressive dilemma across boardrooms.

Internal Audit as Trusted Cyber-Adviser

The Institute of Internal Auditors recently called on the responsibility of the internal audit function in protecting enterprises from malware, evolving encrypted viruses and hackers. A new report, Internal Audit as Trusted Cyber-Adviser, elaborates the responsibilities of the Chief of Internal Audit (CIA) to become significant contributors to cybersecurity and cyber risk protection.

"Audit leaders must go beyond simply ensuring cybersecurity audits are executed according to plan and instead bring a strategic and anticipatory approach to the problem," the report states.

The IIA report also urges more synergistic cooperation between CIA and CIO. Further, it emphasizes on the much-recommended requirement for heads of internal audit to be in command with all "cyber pathways" in and out of the organization. (Source- Institute of Internal Auditors Report on Internal Audit as Trusted Cyber-Adviser)

Role of robust Internal Audit vigilance to combat Cybersecurity Breach

Cyberattacks such as the very recent one- ‘Wannacry Ransomware Attack’ are unpredictable and at times leave the enterprises unprepared to combat the resultant risks associated with them. The tone at the top is clear with an increasing sense of expectation from the internal audit function to assess the enterprise’s attributes in managing such associated risks. The approach for internal audit is well defined which primarily commences with a deep dive performance and documentation of cyber security risk assessment, identification of critical gaps in the ‘As Is’ processes and formulation of a remediation ‘To Be’ design planned for effective implementation in accordance with a risk-based, cybersecurity internal audit plan.

Internal audit teams are adding tremendous value by shouldering additional responsibilities in the identification of threats, vulnerabilities, disaster management and business continuity thereby ensuring that the incidence of information technology risks is minimized. In addition, internal audit also facilitates in preparation of standard operating procedures, documenting process narratives, flow charts and related policies for effective control performance.

Some of the most recent cybersecurity breaches emanating from Vulnerability Assessments of secured IP’s include:

1. Clickjacking is a method in which an attacker uses multiple transparent or opaque layers to trick a user into clicking a button or link on a page other than the one they believe they are clicking. Thus, the attacker is "hijacking" clicks meant for one page and routing the user to an illegitimate page.
2. CSRF (Cross Site Request Forgery) vulnerability allows an attacker to force a logged-in user to perform an important action without their consent or knowledge. It is the digital equivalent of an attacker forging the signature of a victim on an important document. Furthermore, the attack leaves no evidence behind, since a forged request contains all of the information and comes from the same IP address as a real request from a victim.

• Freak Attack allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use ‘export-grade’ cryptography which includes out-of-date encryption key lengths that can then easily be decrypted. This allows the attacker to break into, steal and/ or manipulate sensitive data.

As part of the increasing vulnerability of cybersecurity risks and threats, internal audit plays a pivotal role in timely reporting of existing and emerging cyber risks in the organization, as well as formulation of an effective remediation plan to mitigate them through constant collaboration and networking with industry counterparts and information technology function specialists.

Collaboration between Internal Audit and Information Technology

A planned cybersecurity strategy entails existence of a dynamic and result oriented approach. Internal audit is instrumental in detecting cybersecurity lapses and preventing major cyber threats and vulnerabilities through periodic reviews and implementation of remedial action in continuous collaboration with the IT function.

Internal audit is an independent function and provides an unbiased review of existing information security frameworks and controls by application of the Control Objectives for Information and Related Technologies (COBIT) framework for IT risk governance which, in turn, enables the IT team to design effective controls. Internal audit’s support also supplements the IT team’s efforts to obtain managements approval on security policies, and ensure greater employee participation with respect to their security compliance responsibilities.

In accordance with the mandate prescribed by the Companies Act, it is extremely important that internal auditors, together with the CIO make a joint presentation to the Audit Committee and Board members to discuss the executive summary of significant/ high risk cybersecurity observations, and update them regarding the emerging threats and vulnerabilities, as well as cybersecurity regulations. The remediation plan along with global best practises should also be presented for effective implementation with defined timelines and concrete action plan. Further as part of the ‘Action Taken Review’, implementation status of all open observations emanating from the previous meeting must be presented.

Integrated Planned Approach to Cybersecurity Internal Audits

Implementation of an effective cybersecurity program requires timely identification of risks, threats, vulnerabilities and designing the remediation measures thereby formulating a control framework which is periodically updated in accordance with the changing business environment and communicated and reported in a consistent manner. Internal audit thereby assists in development of a consistent and pragmatic approach wherein information technology risk and control definitions are standardized across the enterprise, resulting in effective assimilation, consolidation, communication and critical analysis of cybersecurity information.

Existence of a ‘Control Self Assurance’ vigilance mechanism wherein the users are made aware of the cybersecurity threats and trained to periodically review certain key controls and assert their existence/ performance is another collaborative model to enhance the layer of internal security. Further a centralized information repository wherein internal audit and IT teams can easily maintain, access, and share confidential information thereby referencing security risks to auditable entities, IT assets, Information Technology Act regulations enhances the enterprise protection against the inherent vulnerabilities. Technology can help by not only streamlining risk assessments, but also delivering real-time visibility into risks and controls, and providing a centralized mechanism to document and manage risks - both existing and emerging.

The Big Bang Evolution

In the era of ‘Auditing around the Computer’, internal audit has no role and/ or responsibility in assessment and evaluation of information technology security risks and controls. The big technological leap foraying enterprises to invest in Enterprise Resource Planning (ERP) applications not only for financial reporting but also operational controls have resulted in internal audits being conducted as ‘Auditing through the Computer’ in today’s digital enterprises. Secure confidential and private enterprise information has emerged as a critical asset that faces a growing number of security threats considering the increased competition and potential players in the market ready to venture in the same line of business as the existing enterprise. While the need for a dedicated CIO leading the enabler information technology function has been created, extensive involvement of the Internal audit function coupled with the oversight and wisdom with the board, management, and learned audit committee members is imperative to institutionalise a planned and effective cybersecurity strategy that focuses on anticipating and mitigating risks, and building organizational layer of resilience.

Internal audit is a key function in an enterprise and should effectively integrate cybersecurity risk assessment and mitigation in its audit universe and form part of its annual charter to eliminate the technological/ information security risks faced by the enterprise.