Getting Everyone on Board to Battle Security Risks
Organizations whose Board of Directors is highly engaged with information security risks and include cyber-security in their annual audit plan manage cyber-security risk acceptably, according to 30% of respondents.
Defining cyber-security measures in the annual audit plan aids successful management of cyber-security risks. 47% of respondents rate their organizations as “very effective” at identifying cyber-security risk, compared to just 19% of other organizations.
70% of organizations that include cyber-security in their audit plan also have a cyber-security risk strategy, compared to 42% of other companies.
53% of respondents said cyber-security evaluation is included in their audit planning. Of those, 60% have used NIST’s Cybersecurity Framework to measure and evaluate their programs.
The top five most significant cyber security risks are: Data security (company information), Brand/reputational damage, Regulatory and compliance violations (tie), Data leakage (tie), Viruses and malware
Respondents assessed their competency in 35 areas of technical knowledge, indicating whether their knowledge is adequate or needs improvement. The top areas for technical knowledge improvement include: Data Analysis Technologies, NIST Cybersecurity Framework, Mobile Applications, Continuous Assurance, The Guide to the Assessment of IT Risk
Respondents evaluated 35 areas of audit process knowledge in terms of improvement. These include: Auditing IT security, Computer-assisted audit tools (CAATs), Data analysis tools for data manipulation, Marketing internal audit internally, Monitoring fraud
Internal auditors indicate an increased desire for new guidance and standards to advance IT audit plans and communicate the importance of these practices more effectively to key stakeholders.
Internal auditors are committed to increasing collaboration with other departments and wish to improve and leverage their personal skills such as persuasion and their relationships with board members, to balance multiple priorities and strengthen their strategic contributions to the enterprise.
According to 43% of respondents, many CIOs have been collaborating with the audit committee, reporting on both cyber-security and IT-related risks.