Good and Bad Advice on Cybersecurity Audits

By |2022-11-15T22:32:17+00:00November 15th, 2022|0 Comments

Is cyber really a top-ten risk?  In order to know, each organization needs to conduct and continuously (or close to it) update its cyber risk assessment – within the context of the enterprise risk management program so it can be compared to other sources of business risk.

Many misguided consultants look to internal audit to perform the risk assessment.  When will people get it?

Assessing Risk and Updating the Assessment when it Changes is a Management Responsibility!

The role of internal audit is to assess whether management is doing that sufficiently well to drive informed and intelligent strategic and tactical business decisions.

Internal audit should assess whether risk management activities, which include cyber, meet the needs of the organization – in other words, go further than just compliance with policies and regulations.

Yet, one major consulting firm states:

“You need to begin with a thorough and independent assessment of cybersecurity risk.”  If management has not completed that thorough and reliable assessment of cyber security risk, within the context of enterprise risk and the achievement of enterprise objectives, report a serious risk and control deficiency to top management and the board.”

My response?

One of the very tough challenges with cyber risk assessment is the rapidity of change in threats and vulnerabilities.  If cyber is a major source of risk, you need to ensure that the risk assessment is always up to date so you can ensure you have appropriate measures in place, including responses to a breach.

The consulting firm made another serious error when they said: “You need a dedicated multi-year plan that is part of your broader audit plan.”

My response?

Do you seriously think cyber risks and controls won’t change in five years? They may well change in five weeks or less!  How can you have a multi-year audit plan these days?  Even an annual plan needs to be updated at the speed of risk and the business.

 My Approach to Auditing Cyber Includes:

  1. Has management completed and properly maintained an assessment of cyber risk?
  2. Is it part of the enterprise-wide management of business risk (i.e., not assessed and managed in a silo)?
  3. Are those responsible for addressing cyber risk competent and experienced? Are they adequately staffed?
    • Do they report at a level that enables them to get management attention and action as appropriate?
    • Do they have a sufficient budget and tools?
    • Do they talk in business language or in technobabble that management and the board cannot translate into business language?
  1. If one or more of the above are answered “no”, determine the value of further audit activity.
    • A high-level independent risk assessment (don’t spend hundreds of hours) might identify areas meriting an audit because of the clear level of risk.
    • Report the cyber risk assessment deficiency immediately to senior management and the board as a serious issue.
  1. Work with the information security team and operating management to understand where the more serious risks are and incorporate them into the overall audit plan.
  2. Don’t try to audit every cyber risk at the expense of other and more serious sources of business risk.
  3. Over time, help management build and maintain an acceptable information security activity and practices.
  4. Ensure management and the board remains informed of the level of risk to enterprise objectives.

In conclusion, internal audit should not be assessing cyber or other sources of risk to drive management decisions. They should be facilitating management’s assessment.

Let me know what you think.

Recommend0 recommendationsPublished in IT Availability & Security

Share This Story, Choose Your Platform!

About the Author:

Norman Marks, CPA, CRMA is a retired senior executive. He works with individuals and organizations around the world, advising them on risk management, internal audit, corporate governance, enterprise performance, and the value of information. For twenty years he was the chief audit executive of major global corporations and is a globally-recognized thought leader in the professions of internal auditing and risk management.  In addition, he served as chief risk officer, compliance officer, and ethics officer, and led what would now be called the IT governance function (information security, contingency planning, methodologies, standards, etc.) He managed the Sarbanes-Oxley Section 404 (SOX) programs and investigation units at several companies.

Norman is the author of 12 audit and risk management booksHe has been profiled by various magazines and in 2018 he was inducted into the IIA’s American Hall of Distinguished Practitioners. Norman can be found at

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.