To that end Internal Auditor needs to have vast knowledge in various areas of the organisation. They need to cultivate certain capabilities such as risk management skill, accounting experience, project management skill, regulatory knowledge, etc. among other things.
.jpg)
Dynamic nature of Internal Audit
As a business organisation in our country grew in size and complexity in the past few decades, the practice of Internal Audit evolved. Today internal auditor uses sophisticated risk modeling, computer assisted audit techniques and statistical sampling. In addition to assurance, they advise on critical business issues and better anticipate risks. And now there is a new kind of knowledge requirement in the horizon-Cybersecurity.
Current Scenario.jpg)
.jpg)
Focal point: Importance of technical expertise
A simple financial and operational audit of the control environment is not sufficient anymore. An organisation might have an elaborate system in place for rule-based fraud detection. There, the internal auditors may evaluate a set of parameters for detecting anomalies in financial transaction. However in addition to that, auditing the control environment should involve a deep dive into technical and administrative controls. Only then they can ensure the management with a high level of confidence that that the organisation's critical defence remains robust. In order to be able to do that, internal auditors need to have deep understanding of the underlying technology. Audit professionals who are well versed in the cyber world can be an indispensable resource. By integrating such expertise with the organisation's strategic vision, internal audit can build a powerful defence.
For example, an organisation might be vulnerable to database manipulation via SQL statements. To identify this weakness an auditor must analyze the firewall configuration to confirm whether it is susceptible to SQL injection attack. They have to evaluate governance structures against standards like COBIT or ISO/IEC 27001, focusing on roles, responsibilities, and policy adherence.
Some of the key technical skills required for internal auditor are as follows:
System administration
Risk management
Vulnerability management
Security testing tools.
Whom to turn to for help?
Internationally-established regulations can be a great place to start with. For an organisation that is keen on data protection, compliance with GDPR is perhaps the best solution. Financial integrity can be ensured through Sarbanes-Oxley. Some of the frameworks to assist in implementing and evaluating a cybersecurity risk management programme is given below;
ISACA-It is a professional membership organisation committed to the advancement of digital trust by empowering professionals. Their Cybersecurity Audit Certificate programme covers four key areas: cybersecurity and audit's role, cybersecurity governance, cybersecurity operations, and specific technology topics to help auditor advance their understanding of cyber-related risk and ability to prepare for and perform cybersecurity audits.
ISO/IEC 27001/27002 Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO/IEC 27001 outlines the requirements for an Information Security Management System (ISMS) and ISO/IEC 27002 offers best practices and control objectives related to key cybersecurity aspects including access control, cryptography, human resource security, and incident response.
SEC Cybersecurity Guidance- The Securities and Exchange Commission (SEC) of United Stated has published cybersecurity guidance for registered investment companies and investment advisers, including steps to consider to address cyber risk. It includes rules such as Disclosure of cybersecurity incident, disclosure of cybersecurity risk, management and strategy and disclosure of cybersecurity governance.
The Trust Services Criteria (TSC) are standards the American Institute of Certified Public Accountants (AICPA) developed to evaluate and report on the controls and processes related to information systems.
TSC aligns to the 17 principles presented in COSO Internal Control-Integrated Framework. Committee of Sponsoring Organizations of the Treadway Commission (COSO) originally released specific principles for developing and maintaining effective internal controls back in 1992. It was updated in 2013.
.jpg)
What about turning to sophisticated technologies?
As cybersecurity attacks becomesmore sophisticated and frequent, traditional methods are increasingly insufficient to detect and respond to new types of attacks.
To intelligently solve today's various cybersecurity issues, popular AI techniques involving machine learning and deep learning methods as well as the concept of knowledge or rule-based expert systems modeling can be used.
Artificial Intelligence (AI) and Machine Learning (ML) can be utilized to analyze threat patterns and even predict potential breaches before they occur. AI and ML technologies have achieved remarkable progress in bolstering network security measures, offering advance capabilities and to detect and counteract threats such as Distributed Denial of Service (DDoS) attacks, unauthorized network infiltrations, and Advanced Persistent Threat (APT) cyber attacks with increased efficiency and accuracy.
An effective first step for internal audit is to conduct a cyber risk assessment and present the findings to the audit committee and board, which will then drive a risk-based, multiyear cybersecurity internal audit plan.
Last words
Cybersecurity brings extraordinary challenges to any organization operating in an environment marked by rapid technological change. For internal auditors, strong cybersecurity skills are rapidly becoming indispensable for career growth and advancement. .jpg)
An auditor with robust cybersecurity knowledge can effectively assess an organization's IT controls, identify vulnerabilities, and evaluate the effectiveness of incident response plans. This goes beyond just checking boxes; it involves understanding technical concepts like network architecture, data encryption, access management, and cloud security, as well as the practical implications of various cyber risks.
By developing these skills, internal auditors can transition from traditional financial audits to more specialized IT and cybersecurity audit roles, which are in high demand and often command higher salaries. Furthermore, it positions them as trusted advisors to senior management and boards, providing critical insights into emerging risks and helping to shape the organization's cybersecurity strategy. Certifications like CISA (Certified Information Systems Auditor) or even CISSP (Certified Information Systems Security Professional) can significantly boost their credibility and open doors to leadership positions like Chief Audit Executive (CAE) or specialized IT Audit Manager roles, demonstrating a commitment to staying ahead in the evolving risk landscape.This will ensure the delivery of audit results that enable organizations to address the challenges encountered in the ever-evolving cyber landscape.
bnkundu.mk@gmail.com