blackstroke

06/01/2016

Many of the top risks organizations face today are related to technology. As a result, internal auditors are paying close attention to areas such as cybersecurity, data privacy, and social media. These areas—and others related to technology—have the potential to deliver devastating setbacks to a company or organization.

The technology risks we face today are increasingly complex, and a sophisticated, well-thought-out approach is required to manage them. How might internal audit help organizations manage these risks and which are the most common?

CYBERSECURITY

Internal audit’s activities related to cybersecurity, according to the report, can include conducting vulnerability scans and penetration testing; verifying that simulation exercises related to the organization’s crisis management plan are performed; and conducting an audit of network architecture to determine compliance with network policy and procedures.

INFORMATION SECURITY

Organizations are focusing now on a layered defense of critical information, rather than a single layer of protection against the network perimeter, the report says. Internal audit’s activities can include performing vulnerability scans of the internal network; reviewing the access control review process; and using third parties to conduct simulated attacks and auditing results.

IT SYSTEMS DEVELOPMENT PROJECTS

Internal audit can perform audits of each aspect of the life cycle of systems development; participate in project audits with vendor audit and quality teams; and conduct audits of the organization’s project management methodology, the report says.

IT GOVERNANCE

Internal audit’s duties can include assessing the tone at the top of the IT organization; performing periodic audits to determine the IT function’s alignment with strategic priorities; and reviewing the effectiveness of IT’s resource and performance management, according to the report.

OUTSOURCED IT SERVICES

Internal auditors can get involved early in the outsourcing cycle, the report says, by ensuring that the initial contract addresses important topics including oversight, monitoring, auditing, and security. Internal audit also can ask how compliance with the contract is monitored.

SOCIAL MEDIA USE

Internal audit’s duties can include playing a consulting role as organizations define, communicate, monitor, and enforce a social media business-use policy, according to the report. A social media audit may be included in the annual internal audit plan.

MOBILE COMPUTING

Few organizations perform little or no assurance for use of mobile devices. Therefore we suggest internal audit can perform an audit of the inventory process of mobile devices, perform an audit of how lost or stolen devices are managed, and verify that sensitive information is encrypted or not stored on mobile devices.

IT SKILLS AMONG INTERNAL AUDITORS

Many internal audit departments struggle to develop and maintain the skills needed to audit IT. Understanding the technology used in the organization and identifying skills gaps can help internal audit develop and/or outsource these skills, according to the report.

EMERGING TECHNOLOGIES

Internal audit can provide guidance on the risk and control requirements when new technologies are being evaluated, the report says.

BOARD AND AUDIT COMMITTEE TECHNOLOGY AWARENESS

Limited IT expertise on a board of directors may pose governance challenges. Internal audit can therefore be the main conduit for bringing technology awareness to the board and audit committee.