Internal Audit and its Larger Role In Enhancing
PCQ . PCQuest ; Gurgaon (Nov 21, 2017).
ProQuest document link
Mr. Tarun Kher, Associate Partner at MGC &KNAV Global Risk Advisory, is an expert in the areas of internal audits,
risk management &process re-engineering.
Cybersecurity is extremely important for organizations as highly confidential and entity specific sensitive
information rests on secured gateways, data farms and servers which are vulnerable to data security attacks and
threats. A cyberattack can be extremely fatal for any enterprise, since it denotes susceptible intrusion/ breach of
security thereby endangering the security of extremely pivotal information and, through it, the financial position,
operational strategy, vision and mission, and more importantly, the trust and reputation that the organization has
established since inception.
A survey of more than 1,500 business and technology executives across 12 countries found that nearly three
quarters of the surveyed organizations faced at least one security breach or incident in 2015, with about 6 in 10
breaches classified as serious. (Source: CompTIA, a non-profit association for the global IT industry). Incidentally,
India is one of the 12 countries across the globe that has cyber security laws.
Many enterprises believe cybersecurity risk is an integral part of the profiling of Chief Information Officer (CIO)
which includes identification, management, and mitigation thereof. In accordance with the extremely vulnerable
and volatile prevailing information technology environment wherein security breaches construe attacks in a flash
including the recent ‘Wannacry Ransomware Attack’, it is extremely important for all three lines of defence to
integrate, collaborate and ensure a synergistic approach to cybersecurity risk management. i) First: CIOs and
enterprise business segments collaborate in effective review and management of cyber security risks with respect
to routine/ recurring decisions and operations. ii) Second: Technology and application systems risk management
leaders establish a vigilant review mechanism to monitor security and related breaches/ intrusions thereby
ensuring seamless corrective actions.
iii) Third: Independent assessment and expression of opinion on information/ data security initiatives and vigil
mechanism which can become a successful campaign by effective involvement of the internal audit function.
Internal audit has a diverse responsibility in assessing and identifying opportunities to strengthen organization
information security and its timely updation in accordance with the ever evolving/ changing risk definitions.
Internal audit also has an extremely important attest obligation to inform the Audit Committee members that the
internal financial controls and risk management systems, for which they are responsible for, are in place, adequate
commensurate with the nature and size of the organization and are operating effectively, this duty as per Sections
138 and 177 (4) of the Companies Act, 2013 has become a progressive dilemma across boardrooms.
Internal Audit as Trusted Cyber-Adviser
The Institute of Internal Auditors recently called on the responsibility of the internal audit function in protecting
enterprises from malware, evolving encrypted viruses and hackers. A new report, Internal Audit as Trusted CyberAdviser, elaborates the responsibilities of the Chief of Internal Audit (CIA) to become significant contributors to
cybersecurity and cyber risk protection.
“Audit leaders must go beyond simply ensuring cybersecurity audits are executed according to plan and instead
PDF GENERATED BY PROQUEST.COM Page 1 of 4
bring a strategic and anticipatory approach to the problem,” the report states.
The IIA report also urges more synergistic cooperation between CIA and CIO. Further, it emphasizes on the muchrecommended requirement for heads of internal audit to be in command with all “cyber pathways” in and out of the
organization. (Source- Institute of Internal Auditors Report on Internal Audit as Trusted Cyber-Adviser)
Role of robust Internal Audit vigilance to combat Cybersecurity Breach
Cyberattacks such as the very recent one- ‘Wannacry Ransomware Attack’ are unpredictable and at times leave the
enterprises unprepared to combat the resultant risks associated with them. The tone at the top is clear with an
increasing sense of expectation from the internal audit function to assess the enterprise’s attributes in managing
such associated risks. The approach for internal audit is well defined which primarily commences with a deep dive
performance and documentation of cyber security risk assessment, identification of critical gaps in the ‘As Is’
processes and formulation of a remediation ‘To Be’ design planned for effective implementation in accordance
with a risk-based, cybersecurity internal audit plan.
Internal audit teams are adding tremendous value by shouldering additional responsibilities in the identification of
threats, vulnerabilities, disaster management and business continuity thereby ensuring that the incidence of
information technology risks is minimized. In addition, internal audit also facilitates in preparation of standard
operating procedures, documenting process narratives, flow charts and related policies for effective control
Some of the most recent cybersecurity breaches emanating from Vulnerability Assessments of secured IP’s
include: Clickjacking is a method in which an attacker uses multiple transparent or opaque layers to trick a user
into clicking a button or link on a page other than the one they believe they are clicking. Thus, the attacker is
“hijacking” clicks meant for one page and routing the user to an illegitimate page. CSRF (Cross Site Request
Forgery) vulnerability allows an attacker to force a logged-in user to perform an important action without their
consent or knowledge. It is the digital equivalent of an attacker forging the signature of a victim on an important
document. Furthermore, the attack leaves no evidence behind, since a forged request contains all of the
information and comes from the same IP address as a real request from a victim.
* Freak Attack allows attackers to intercept HTTPS connections between vulnerable clients and servers and force
them to use ‘export-grade’ cryptography which includes out-of-date encryption key lengths that can then easily be
decrypted. This allows the attacker to break into, steal and/ or manipulate sensitive data.
As part of the increasing vulnerability of cybersecurity risks and threats, internal audit plays a pivotal role in timely
reporting of existing and emerging cyber risks in the organization, as well as formulation of an effective
remediation plan to mitigate them through constant collaboration and networking with industry counterparts and
information technology function specialists.
Collaboration between Internal Audit and Information Technology
A planned cybersecurity strategy entails existence of a dynamic and result oriented approach. Internal audit is
instrumental in detecting cybersecurity lapses and preventing major cyber threats and vulnerabilities through
periodic reviews and implementation of remedial action in continuous collaboration with the IT function.
Internal audit is an independent function and provides an unbiased review of existing information security
frameworks and controls by application of the Control Objectives for Information and Related Technologies
(COBIT) framework for IT risk governance which, in turn, enables the IT team to design effective controls. Internal
audit’s support also supplements the IT team’s efforts to obtain managements approval on security policies, and
ensure greater employee participation with respect to their security compliance responsibilities.
In accordance with the mandate prescribed by the Companies Act, it is extremely important that internal auditors,
together with the CIO make a joint presentation to the Audit Committee and Board members to discuss the
executive summary of significant/ high risk cybersecurity observations, and update them regarding the emerging
threats and vulnerabilities, as well as cybersecurity regulations. The remediation plan along with global best
practises should also be presented for effective implementation with defined timelines and concrete action plan.
Further as part of the ‘Action Taken Review’, implementation status of all open observations emanating from the
PDF GENERATED BY PROQUEST.COM Page 2 of 4
previous meeting must be presented.
Integrated Planned Approach to Cybersecurity Internal Audits
Implementation of an effective cybersecurity program requires timely identification of risks, threats, vulnerabilities
and designing the remediation measures thereby formulating a control framework which is periodically updated in
accordance with the changing business environment and communicated and reported in a consistent manner.
Internal audit thereby assists in development of a consistent and pragmatic approach wherein information
technology risk and control definitions are standardized across the enterprise, resulting in effective assimilation,
consolidation, communication and critical analysis of cybersecurity information.
Existence of a ‘Control Self Assurance’ vigilance mechanism wherein the users are made aware of the
cybersecurity threats and trained to periodically review certain key controls and assert their existence/
performance is another collaborative model to enhance the layer of internal security. Further a centralized
information repository wherein internal audit and IT teams can easily maintain, access, and share confidential
information thereby referencing security risks to auditable entities, IT assets, Information Technology Act
regulations enhances the enterprise protection against the inherent vulnerabilities. Technology can help by not
only streamlining risk assessments, but also delivering real-time visibility into risks and controls, and providing a
centralized mechanism to document and manage risks – both existing and emerging.
The Big Bang Evolution
In the era of ‘Auditing around the Computer’, internal audit has no role and/ or responsibility in assessment and
evaluation of information technology security risks and controls. The big technological leap foraying enterprises to
invest in Enterprise Resource Planning (ERP) applications not only for financial reporting but also operational
controls have resulted in internal audits being conducted as ‘Auditing through the Computer’ in today’s digital
enterprises. Secure confidential and private enterprise information has emerged as a critical asset that faces a
growing number of security threats considering the increased competition and potential players in the market
ready to venture in the same line of business as the existing enterprise. While the need for a dedicated CIO leading
the enabler information technology function has been created, extensive involvement of the Internal audit function
coupled with the oversight and wisdom with the board, management, and learned audit committee members is
imperative to institutionalise a planned and effective cybersecurity strategy that focuses on anticipating and
mitigating risks, and building organizational layer of resilience.
Internal audit is a key function in an enterprise and should effectively integrate cybersecurity risk assessment and
mitigation in its audit universe and form part of its annual charter to eliminate the technological/ information
security risks faced by the enterprise.
Copyright 2017 Cyber Media (India) Ltd., distributed by Contify.com
Credit: PCQ Bureau
Subject: Enterprise resource planning; Internet crime; Forgery; Audit committees;
Collaboration; Information technology; Identification; Risk assessment; Internal
auditors; Auditors reports; Executives; Computer security
Identifier / keyword: internal audit enhancing cybersecurity larger role news
Publication title: PCQuest; Gurgaon
Publication year: 2017
PDF GENERATED BY PROQUEST.COM Page 3 of 4
Look For It
Database copyright 2021 ProQuest LLC. All rights reserved.
Terms and Conditions Contact ProQuest
Publication date: Nov 21, 2017
Publisher: Athena Information Solutions Pvt. Ltd.
Place of publication: Gurgaon
Country of publication: India, Gurgaon
Publication subject: Computers–Personal Computers
Source type: Magazines
Language of publication: English
Document type: News
ProQuest document ID: 1966964163
Document URL: https://proxy.cityu.edu/login?url=https://www.proquest.com/magazines/internalaudit-larger-role-enhancing/docview/1966964163/se-2?accountid=1230
Copyright: Copyright 2017 Cyber Media (India) Ltd., distributed by Contify.com
Last updated: 2019-05-13
Database: ProQuest One Academic,SciTech Premium Collection
PDF GENERATED BY PROQUEST.COM Page 4 of 4
-research paper writing service
Why Work with Us
Top Quality and Well-Researched Papers
Professional and Experienced Academic Writers
Free Unlimited Revisions
Prompt Delivery and 100% Money-Back-Guarantee
Original & Confidential
24/7 Customer Support
No need to work on your paper at night. Sleep tight, we will cover your back. We offer all kinds of writing services.