Norman Marks on Governance, Risk Management, and Internal Audit

It happens so often, its almost not worth my time writing about it.

Grant Thornton, like the other external audit firms, provides internal audit services as well. To promote them, they offer advice on matters such as how to perform audits of an organization’s cybersecurity measures and practices.

This week, they published It’s time to upgrade cybersecurity internal audits.

They do share a useful chart on the average cost of a data breach in the US. However, they fail to point out that at $9.44 million, it shouldn’t represent a serious risk to the achievement of an organization’s objectives, let alone its survival. Yes, its rising (a little) every year. But how much return on investment would an organization obtain from further investments in cybersecurity?

Is cyber really a top-ten risk?

In order to know, every organization needs to conduct and continuously (or close to it) update its cyber risk assessment – within the context of the enterprise risk management program so it can be compared to other sources of business risk.

Like so many other misguided consultants, Grant Thornton looks to internal audit to perform the risk assessment.

When will people get it?

ASSESSING RISK AND UPDATING THE ASSESSMENT WHEN IT CHANGES IS A MANAGEMENT RESPONSIBILITY[1]!

The role of internal audit is to assess whether management is doing that sufficiently well to drive informed and intelligent strategic and tactical business decisions.

Internal audit should assess whether risk management activities, which include cyber, meet the needs of the organization – in other words, go further than just compliance with policies and regulations.

Yet, Grant Thornton tell us:

“You need to begin with a thorough and independent assessment of cybersecurity risk.”

If management has not completed that thorough and reliable assessment of cybersecurity risk, within the context of enterprise risk and the achievement of enterprise objectives,

REPORT A SERIOUS RISK AND CONTROL DEFICIENCY TO TOP MANAGEMENT AND THE BOARD

One of the very tough challenges with cyber risk assessment is the rapidity of change in threats and vulnerabilities.

If cyber is a major source of risk, you need to ensure that the risk assessment is always up to date so you can ensure you have appropriate measures in place, including responses to a breach.

The people at Grant Thornton who wrote this made another serious error. They said:

When the cybersecurity audit identifies your security risks, you need a well-defined plan to address them. Your plan needs to be clear and concise about your capabilities and goals, taking the organization’s performance and financial goals into account. It should align with leading practices and industry standards, and must have executive management support. Most importantly, it needs to be a dedicated multi-year plan that is part of your broader audit plan.

Do you seriously think cyber risks and controls won’t change in five years? They may well change in five weeks or less!

How can you have a multi-year audit plan in these days?

Even an annual plan needs to be updated at the speed of risk and the business.

I’ve said enough about this foolish (yes, I will go that far) article.

I have explained my approach to auditing cyber several times in the past. It includes:

1. Has management completed and properly maintained an assessment of cyber risk?
2. Is it part of the enterprise-wide management of business risk (i.e., not assessed and managed in a silo)?
3. Are those responsible for addressing cyber risk competent and experienced? Are they adequately staffed? Do they report at a level that enables them to get management attention and action as appropriate? Do they have a sufficient budget and tools? Do they talk in business language or in technobabble that management and the board cannot translate into business language?
4. If one or more of the above are answered “no”, determine the value of further audit activity. A high-level independent risk assessment (don’t spend hundreds of hours) might identify areas meriting an audit because of the clear level of risk. Report the situation immediately to senior management and the board as a serious issue.
5. Work with the information security team and operating management to understand where the more serious risks are and incorporate them into the overall audit plan.
6. Don’t try to audit every cyber risk at the expense of other and more serious sources of business risk.
7. Over time, help management build and maintain an acceptable information security activity and practices.
8. Keep management and the board informed of the level of risk to enterprise objectives.

I welcome your thoughts.

[1]Even when the CAE is also the CRO, internal audit should not be assessing risks to drive management decisions. They should be facilitating management’s assessment.