The internal audit function, of which you are a member, has identified cyber security as a significant,
Question:
The internal audit function, of which you are a member, has identified cyber security as a significant, pervasive risk that is escalating, with potential for significant adverse impact on the organization. This could include loss of data, disruption of operations, destruction of automated systems and equipment, financial loss, negative customer reputation, legal costs, and more!
Management of the Information Technology function agrees that cyber risk is important, but claim that they have reduced by the likelihood and impact by spending millions of dollars on mitigation strategies, including:
Hiring highly experienced information security professionals with excellent skills and supplemented these with contract resources with specialized skills.
Adding new technical controls.
They say that their confidence is warranted; the organization hasn't experienced a cyber security event of the type that one reads about in the press almost daily. In fact, they are annoyed that internal audit is causing the audit committee of the board of directors to focus on cyber risk.
The audit team assigned to focus on cyber security risks reports that they are having a hard time obtaining information from management, who seem to be irritated by the requests for information.
So far, auditors have identified some potential issues:
Lack of clear accountability among different groups in the Information Technology function.
Ineffective communication between Information Security and business functions.
There are no documented procedures for how to respond to a cyber incident.
The risks from insider threats have not been considered.
The audit team is having a meeting to discuss next steps.
1. What guidance do the IIA Standards provide to the auditors?
2. What other information from the organization or IT might internal audit want to review?
3. Are there any other persons outside of the IT function auditors should interview?
4. What other information could be helpful in discussing these topics with management?