Now more than ever, organisations are likely to evaluate cyber-security risk in their annual audit plans.
According to Protiviti's 2016 Internal Audit Capabilities and Needs Survey report, 73 percent of organisations now include cyber-security risk in their internal audits, an increase of 20 percent year-over-year. Over 1,300 internal audit professionals from virtually all industry sectors around the globe participated in the survey.
More than half (57 percent) of respondents have received inquiries from customers, clients and/or insurance providers about the state of cyber-security in their organisation.
Strengthening the ability to address cyber-security risk is a need among most internal audit groups. The survey found that these capabilities are much stronger for top-performing organisations.
The survey discovered two critical success factors when establishing and maintaining a cyber-security plan that's effective. They are a high level of engagement by the board of directors in information security risks and including the evaluation of cyber-security risk in the current audit plan.
Companies with at least one of these factors will have a stronger risk posture to combat cyber-threats. Almost all organisations (92 percent) with a high level of board engagement in information security risks have a strategy in place, compared to 77 percent of other organisations. Likewise, 83 percent that include cyber-security risk in their yearly audit plan have a risk policy compared to only 53 percent that don't include it in their audit plans.
The top 10 priorities for internal audit in 2016 are:
1. ISO 2700 (information security)
2. Mobile applications
3. NIST Cyber-security Framework
4. GTAG 16 – Data Analysis Technologies
5. Internet of Things
6. Agile Risk and Compliance
7. ISO 14000 (environmental management)
8. Data Analysis Tools – Statistical Analysis
9. Country-Specific ERM Framework
10. Big Data/Business Intelligence
Mark Peters, managing director, internal audit, Protiviti said:“ Companies are trying to ensure business-as-usual systems are secure and effective as well as working to drive change through the introduction of new technologies, greater digitisation and mobilisation of internal and customer-facing systems. These factors, coupled with the increasing cyber-threats are driving internal audit to increase its IT audit capabilities each year and raising technology issues up the priority list for internal audit. It is essential for internal audit functions to act now in order keep pace with this change''