Performing a Risk-Based Cyber Audit

Key Takeaways

• Cybersecurity Is Too Broad for a Single Audit: The scope of cybersecurity spans the entire enterprise, making it impractical, and often misleading, to audit it as a single auditable entity.
• Risk-Based Auditing Means Business Risk First: Audits should focus on how cybersecurity failures could affect enterprise objectives, not on technical controls in isolation.
• Controls Must Be Viewed in Context: Cyber risks should be assessed alongside other manual and automated controls that may mitigate their impact on the business.
• Frameworks Don’t Go Far Enough: Standards like NIST and ISO tend to assess risk to IT assets, not the broader risk to organizational objectives.
• Targeted Audits Deliver More Value: Narrowly scoped audits of significant cyber-related business risks provide more meaningful assurance than broad cybersecurity reviews.

Deep Dive

In his latest article, Norman Marks challenges a familiar reflex in internal audit: treating cybersecurity as a standalone auditable domain. Drawing on the IIA’s Cybersecurity Topical Requirement and his own experience as a chief audit executive, Marks makes the case for a more disciplined, risk-based approach—one that looks past controls and frameworks to assess how management actually identifies and manages cyber-related business risk. The result is a practical rethink of how cyber fits into an audit plan, and why auditing “cybersecurity” itself may miss what really matters.

Why Cyber Audits Miss the Real Risk

Cyber is obviously a source of risk to every organization. So it always makes sense to consider how it should be addressed in the audit plan. It’s not a topic that can be addressed in a single audit. But I’ll come back to that.

I believe in risk-based auditing. That means auditing and providing assurance on how management manages the more significant risks to the enterprise and its objectives.

In their Cybersecurity Topical Requirement document, the IIA talks about auditing and assessing cybersecurity. I prefer to focus on the risks to the business should cybersecurity fail in some way. In other words, I prefer risk-based auditing.

The TR says:

Cybersecurity

The National Institute of Standards and Technology (NIST) defines cybersecurity simply as, “The ability to protect or defend the use of cyberspace from cyberattacks.” Cybersecurity is a subset of overarching information security, which NIST defines as, “The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.”

Cybersecurity reduces risk by strengthening the overall control environment and protecting an organization’s information assets from unauthorized access, disruption, alteration, or destruction. Cyberattacks can lead to direct and indirect impacts that are often significant, as computers, networks, programs, data, and sensitive information are critical components of most organizations.

Evaluating and Assessing Cybersecurity Governance, Risk Management, and Control Processes

This Topical Requirement provides a consistent, comprehensive approach to assessing the design and implementation of cybersecurity governance, risk management, and control processes. The requirements represent a minimum baseline for assessing cybersecurity in an organization.

Cybersecurity encompasses activities, systems, and processes across the extended enterprise. It is massive! It is far too big to assess in a single audit engagement.

In addition, it includes processes and controls that, should they fail, would only have marginal effects on enterprise success. For example, they might include access controls to the company’s expense reporting system, the records of materials received, or to the physical security system for its Singapore office.

While these controls might be sufficiently important to justify their cost, the risk to the enterprise should they be breached is minimal. Any risk to the enterprise from a cyber breach may well be mitigated by other controls, whether manual or automated."

Let me give you a real-life example. When I was at Tosco Corporation, I received a call from the PwC IT audit senior manager. He believed his team had found a potential material weakness in the access security of our convenience stores. I called a meeting for him to explain that to me, our Corporate Controller, and the CIO, and made sure the engagement partner and senior manager would attend. As soon as he started talking about how every store manager had access to and could potentially change the data for his store, the engagement senior manager jumped all over him. He pointed out that there we excellent controls in the head office that would identify any error that could be even close to material.

But NIST (and thereby the IIA in its TR) are considering cybersecurity risk in a silo. We are (or should be) better than that. It is only when the overall risk, taking into account all the relevant controls, is significant to the achievement of enterprise objectives will an audit be justified.

I’ll say this a few times: we should be auditing the management of risks, not individual processes or “auditable entities”. Instead of auditing cybersecurity, audit how management identifies and addresses the business risk that is cyber.

In addition, as I said earlier, cybersecurity is so broad and encompassing that it makes no sense (IMHO) to even attempt to audit and provide an opinion on its totality.

Instead, focus audit engagements on the more significant business risks that would result from one or more failures of cybersecurity, given the existence of other controls. This may mean that you need to broaden the scope of what started as a cyber risk audit to include the design and operation of those other controls.

So how do you identify the more significant cyber-related business risks? I start by asking management how they identify the risks. The TR, to its credit, includes this requirement:

Internal auditors must assess the following in relation to the organization’s cybersecurity risk management:

A. The organization’s risk assessment and risk management processes include identifying, analyzing, mitigating, and monitoring cybersecurity threats and their effect on achieving strategic objectives.

While it doesn’t make it clear, the cyber risk assessment cannot be made in a silo if it is to determine the potential “effect on achieving strategic objectives”.

Unfortunately, the primary cyber standards and frameworks (including NIST and ISO) don’t go far enough. They assess the effect on information technology assets, rather than on enterprise objectives.

If management has done a good job of integrating cyber-related issues into its enterprise risk management program (i.e., considering business process and other controls and how they might compensate for or mitigate cyber issues), then that would be a good place to start.

If they have not, I would first endeavor to get them to take a more effective approach to understanding the business risk that is cyber (for more on this, see Understanding the Business Risk that is Cyber: A guide for both business executives and InfoSec managers to bridge the gap).

If they have not adequately assessed the business risk, how can they know they have the right resources deployed in the right areas? This is probably going to be an issue that should be communicated to top management and the board.

Then I would work with them to identify the more significant sources of business risk that merit an audit engagement. A facilitated risk workshop is a great tool where internal audit can make a valued difference.

My audit plan always included audits of the more significant cyber risks. They were narrowly focused on how management identified, assessed, and managed those risks. For example, our audit plans included:

• An audit of the Information Security risk assessment
• An audit of access to our Northern California refinery units, including white-hack penetration
• An audit of access to a new refinery control system in New Jersey
• The assessment of the staffing, reporting structure, and capabilities of the corporate InfoSec team
• The audit of access rights to the HR and Payroll systems in Suzhou, China
• An audit of access to a new revenue system in New Jersey
• An assessment of the implementation of Microsoft’s Active Directory
• An audit of data privacy compliance
• An audit of SAP privileged user controls
• The use of specialized tools (ISS and Kane) to detect network vulnerabilities

In all my years as CAE, I never had an audit of cybersecurity, per se. While a risk-based audit approach may not enable an overall assessment of cybersecurity, it does enable an assessment of how management addresses the more significant cyber-related business risks.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.