- No need for technical skills but must create processes to identify, mitigate
- Many bodies and associations such as IIA and ISACA looking into this
WHEN you think of internal auditors, you probably picture them spending hours sifting through piles of paperwork to try and identify breaches in processes or irregularities in protocols, but that image no longer hold true.
The increasing dependence on technology and the proliferation of cybersecurity incidents worldwide are forcing auditors to embrace new skills, according to the Institute of Internal Auditors (IIA).
“To meet these challenges, auditors need to become multidisciplinary in nature,” says IIA Malaysia president Lucy Wong (pic above).
“Though they do not need to have technical knowledge, they need to be exposed to cybersecurity [issues] and understand where the risks are so that they can identify where the gaps are and mitigate them,” she says, speaking to Digital News Asia (DNA) in Kuala Lumpur recently.
Nickson Choo, former governor of IIA Malaysia, concurs, saying that auditors do not need to know the nitty-gritty details of cybersecurity but that they must know where the risks are coming from and have a method or process by which these risks can be addressed.
“We don’t need to be engineers,” says Choo, who is also the director of enterprise risk services at consulting firm Deloitte.
“I’m not technically trained but what I must have is the ability to identify and discover adequate proof that there are threats shaping up, and know what to do following that.
“For instance, if we çan identify where the vulnerabilities are, we can hire pen-testers to help identify the weak points,” he said, referring to highly skilled technical engineers called ‘penetration testers’ who try and identify weak points in cyberdefences.
Deloitte recommends a multi-layered approach to cybersecurity defence, says Choo, comprising three steps:
- Being secure: Focusing protection around the risk-sensitive assets at the heart of an organisation’s mission – the ones that both you and your adversaries are likely to agree are the most valuable;
- Being vigilant: Establishing threat awareness throughout the organisation, and developing the capacity to detect patterns of behaviour that may indicate or even predict the compromise of critical assets; and
- Being resilient: Being able to rapidly contain the damage, and mobilise the diverse resources needed to minimise impact – including direct costs and business disruption, as well as reputation and brand damage.
Choo says this approach provides redundancy in the event a security control fails or a vulnerability is successfully exploited in one of the layers.
The cybersecurity juggling
It has been tough for auditors to adapt to the changes in their field because technology is moving so rapidly, Wong and Choo concede.
Choo (pic above) notes that that while auditors need to be ‘successful’ in protection all of the time, hackers only need to succeed once to be able to do damage.
Also, companies need to find a balance between absolute security and the ease of doing business, he argues.
“An organisation cannot be so sewn up security-wise that it cannot do business, but neither can it be easy for cybercriminals to breach.
“To address this balance, auditors need to come up with processes to highlight risks and ensure that there are adequate controls in place,” he says.
Choo says auditors typically rely on the ‘three lines of defence’ model which comprises:
- Management: Companies that are good at managing information security risks typically assign responsibility for their security regimes to the highest levels of the organisation. Management has ownership, responsibility and accountability for assessing, controlling and mitigating risks;
- Risk management and compliance functions: Management has to facilitate and monitor the implementation of effective risk management practices, and help risk owners in reporting adequate risk-related information up and down the line; and
- Internal audit: The internal audit function provides objective assurance to the board and executive management on how effectively the organisation assesses and manages its risks.
This ensures there are checks and balances that can help mitigate risks, adds Choo.
On how prepared the auditing industry is, Tichaona Zororo (pic), director of Enterprise Governance of IT (EGIT) in South Africa, says there is a global shortage of skills but argues that the awareness of the need to address this gap is rising.
He says said there are a number of information system audit control associations being set up to cater for work in IT governance.
“Internal auditors today must have skills to audit cybersecurity and thus, it’s imperative to develop these skills,” he says.
“A number of institutions have developed certification specially for auditors, including the one I involved with, which is the Information Systems Audit Control Association or ISACA,” he says.
IIA Malaysia’s Wong says that the global arm of IIA is looking into this matter and has in fact recently set up with committee on this.
“If you are an internal auditor, you can’t run away from this anymore,” she says.
“As auditors, cybersecurity is the highest priority for at least the next two to three years, so there is no choice but for them to build these skills.
“Simply put, we need to move with the times,” she adds.
21st Century Risk Management Part 1: Managing risk means taking risks
Cybersecurity industry facing AI, privacy and trust issues: RSA president
APAC firms unprepared for wearable tech in the workplace: ISACA survey
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.