It's time to upgrade cybersecurity internal audits


It’s happening somewhere right now — an organization that constructed a seemingly secure and reliable technology infrastructure is being hacked. And the attacker might be successful.


Many organizations have data and asset vulnerability right at their digital front door. And back door. At every door. When vulnerabilities give way to breaches, the consequences can be massive. The average cost of a data breach in the U.S. continues to rise, and has reached $9.44 million this year. 



The sectors most targeted by attackers include finance, healthcare and professional services. 



Cyberattacks come in many shapes, packages and disguises, including malware, phishing, man-in-the-middle attacks, denial-of-service attacks and SQL injection. In the financial world, cryptojacking and blockchain exploitation are on the rise. And, with remote workers now the norm and the enormous amount of activity happening in the cloud, cyber attackers have seemingly endless opportunities.


Internal audit (IA) can play a critical role in ongoing cybersecurity audits. However, IA departments often include only one or two cybersecurity audits in the audit plan. Many departments only react to the latest cybersecurity headline, or an immediate focus from the organization’s leaders.


Cybersecurity is now one of the top risks for almost every organization. To properly mitigate this risk, IA departments need a broader long-term approach that yields a well-defined cybersecurity internal audit plan. To do that, they need to balance three factors.




1. Be comprehensive, but explore specifics



IA departments need a cybersecurity audit plan that is comprehensive, connected and conclusive. In other words, the plan needs to include and integrate all aspects of the business; it needs to recognize the interdependencies between the diverse systems and processes within the organization, and it needs clear and measurable milestones and outcomes. That’s why you need to begin with a thorough and independent assessment of cybersecurity risk.


Cybersecurity audits must include all of the organization’s people, processes and platforms. Get the right people in place to analyze cybersecurity risks in a comprehensive manner. That sounds like an intimidating task, but security risks exist at every level of an organization in the current age of exponential data growth, technology expansion and cyberattack sophistication. A comprehensive approach also needs to have a full understanding of the existing cybersecurity practices in the business and the ways participants exchange and access data.


From the C-suite to the plant floor, remote worker or third-party vendor, many players are inviting potential attacks through their everyday behavior. A comprehensive audit needs to examine actual enterprise performance against company expectations and industry standards where applicable. Keep in mind that this can be a broad assessment which leads to more detailed subsequent audits in specific areas.




2. Be connected, but stay secure



Vikrant Rai

“If you look at the information security side of it, cybersecurity spans not just IT, but also the process universe as well as controls and individuals that are involved from a human resource perspective as well.”

Vikrant Rai

Grant Thornton IT and Cybersecurity Internal Audit Managing Director

The comprehensive evaluation of the separate systems throughout the enterprise will expose how the many levels of the organization are interdependent. Companies are building technology infrastructures that rely on the exchange of data to support processes in areas such as supply chain, HR, training, e-commerce and customer relationship management. So, you need to identify the cybersecurity domains and capabilities that pose the greatest risk to the organization.


“If you look at the information security side of it, cybersecurity spans not just IT, but also the process universe as well as controls and individuals that are involved from a human resource perspective as well,” said Grant Thornton IT and Cybersecurity Internal Audit Managing Director Vikrant Rai. 



For instance, a sales director might need to look into supply chain data to build a sales strategy, or an HR coordinator might need to assess an employee’s training progress in a learning management system. This type of work requires interconnected systems, software solutions and platforms, with interconnected logins, downloads, and other actions that can create cybersecurity vulnerabilities. An internal audit must understand how these different systems that talk to each other to understand who has access to what data. This is a good time to remember that threats don’t only come from outside the company but can also originate from the inside.


The exchange of digital information is often critical to the enterprise, so closing all of the gates is not an option. It’s a difficult balancing act between access and security, but the cybersecurity internal audit looks at these business operations and the platforms they run on to identify security gaps and potential problems, then guide the company to make its data as secure as possible. The cybersecurity internal audit might also discover applicable data and findings in other types of internal audits, like firewall evaluations or third-party vendor audits. Be on the lookout for overlapping audits, to help complete your understanding and avoid redundant efforts.


Knowing and understanding the enterprise-wide technology interdependencies can help you ensure that systems talk to each other safely and securely, without malicious intervention.




3. Be conclusive, but keep evolving



When the cybersecurity audit identifies your security risks, you need a well-defined plan to address them. Your plan needs to be clear and concise about your capabilities and goals, taking the organization’s performance and financial goals into account. It should align with leading practices and industry standards, and must have executive management support. Most importantly, it needs to be a dedicated multi-year plan that is part of your broader audit plan.


In terms of structure, your cybersecurity plan should include six foundational audit domains. 



The six foundational audit domains can lead into many targeted assessments, depending on the needs and aspirations of the enterprise. The list of potential audits and assessments helps illustrate the many possible security threats for an organization.


If an organization overlooks or deprioritizes any of the areas in the cybersecurity internal audit plan, the impact could be costly. Those areas are always evolving, so the plan must keep evolving, too. That’s why you need to embed a dedicated and detailed cybersecurity risk assessment into the broader annual internal audit planning process. The annual audit planning process often excludes a focused and informed risk assessment of cybersecurity across each of the major domains and capabilities of the cyber program. Plus, many audit teams don’t have a defined multi-year audit strategy for cybersecurity. 



The audit and assessment results need to include clear recommendations about short-term and long-term remediation activities, so that management, corporate governance and other leaders can determine the necessary actions. Those actions should include recurring audits to reassess the ever-changing technology landscape.


“Ask yourself, ‘What is it that we need to do on an annual basis?’” said Grant Thornton Internal Audit Cybersecurity Practice Partner Scott Peyton. “Perhaps there is a significant area of exposure that you have as an organization, which you need to come back to and look at every year. Alternatively, you may find emerging cyber risks that arise because the organization is changing.” Cybersecurity audit plans should address some issues every year and can address other issues in multi-year stages. 


Scott Peyton

“It needs to be more than just one audit that you roll into the broader IT plan, and it needs to be more precise than that big red risk that you have on the heat map every year.”

Scott Peyton

Grant Thornton Internal Audit Cybersecurity Practice Partner


Every time a new employee is onboarded, a new software system is launched, or a new vendor is hired, the potential for new cybersecurity attacks can change, and recurring audits can unearth those vulnerabilities. The plan is conclusive with definitive guidance, but it is also open-ended for further revisions and improvements.


Thorough cybersecurity internal audits are critical to businesses of all sizes and sectors. “The impact and the consequence of not having a strong cybersecurity program is really becoming an industry-agnostic conversation,” Peyton said. 



“The biggest point here is that you need to have a cybersecurity audit plan — it needs to be more than just one audit that you roll into the broader IT plan, and it needs to be more precise than that big red risk that you have on the heat map every year,” Peyton said. “Perform a risk analysis and really develop a multi-year cybersecurity audit plan that you can update, to understand what risks are greatest and how you can help the organization understand if those risks are mitigated to an acceptable level.”


No industry is immune from the bad actors looking to steal data and hold companies hostage. The cost of data breaches is likely to keep rising. A comprehensive, connected and conclusive cybersecurity internal audit can help keep you from seeing that cost up close.




Related resources


Webcast replay








Our featured advisory services insights