In addressing cyber risks, internal audit departments need to leverage industry frameworks to perform audits in line with current practices. However, the constant release of new cybersecurity frameworks and guidance makes it difficult for auditors to keep up with developments and ensure they are auditing against the latest frameworks.
Although cybersecurity has become a top risk for boards of directors and audit committees, organizations worldwide do not follow a common comprehensive framework. Instead, guidance organizations such as the Committee on Payments and Market Infrastructures (CPMI), International Organization for Standardization, U.S. Federal Financial Institutions Examination Council (FFIEC), and U.S. National Institute of Standards and Technology (NIST) have released separate cybersecurity frameworks.
These frameworks contain many of the same concepts. Some frameworks go beyond those basics to detail maturity levels that organizations can measure themselves against to see whether they are meeting the framework's target cybersecurity objectives. By evaluating each framework and selecting the one that best fits the organization's strategic vision, culture, and security posture, internal audit departments can assess the right risks and provide effective assurance on their organization's state of cybersecurity.
One of the first steps during a cybersecurity audit is determining which framework to use and the level of granularity internal audit is willing to go to within the framework. For example, each framework has high-level domains that consist of several lower-level components, requirements, or assessment factors. The level of granularity internal audit chooses should depend on factors such as the organization's risk tolerance and regulatory expectations.
Sample Cybersecurity Frameworks
Click here to view how the FFIEC Cybersecurity Assessment can be used to measure cybersecurity maturity.
Click here to view how the NIST Cybersecurity Framework can be used to measure cybersecurity maturity.
Before selecting a framework, internal audit must determine whether it wants to give management a checklist of compliance results or it wants to present a report on the maturity of management's processes. Similar to a compliance audit, internal audit can use frameworks such as the one issued by the CPMI to determine whether the organization's cybersecurity measures meet the framework's requirements. On the other hand, frameworks issued by the FFIEC and NIST have maturity levels or benchmarks that need to be assessed more judgmentally (see "Sample Cybersecurity Frameworks," right). These frameworks reflect a progression from informal responses to innovative responses to determine how well risk-informed decisions are being managed. The decision to report on compliance or maturity will drive the overall cybersecurity audit plan.
In assessing the various frameworks, internal audit should use a risk-based approach to determine its audit scope. Not every requirement or assessment factor may be applicable for the organization. Current risk management practices, the threat landscape, legal and regulatory requirements, and organizational challenges should play a part in internal audit's assessment. However, when building its audit plan and scope, internal audit should ensure anything that is out of scope is documented so the department can justify its approach to senior management and other stakeholders. This practice will help certify that audit coverage is complete and right for the organization.
Applying the Framework
The framework internal audit selects will provide the guidance necessary to ask management the appropriate questions. It also can lead to greater understanding of how IT security teams are managing technology risks, including risks from new technologies.
Conducting walkthroughs with the IT and security functions' management will help auditors understand the controls that mitigate the organization's risks. Mapping these controls to the cybersecurity framework can ensure internal audit coverage is complete and considers the various locations, tools, and centralized vs. decentralized processes. Once internal audit has identified the organization's cybersecurity controls, the mapping exercise will document that the audit scope is complete and thorough. It also can provide evidence that internal audit understands the organization's security environment.
The next step is establishing internal audit's testing strategies. An inherent risk within every audit is that tests will not identify the material issues that may exist in the control environment. To mitigate this risk, auditors should ensure the test objectives detailed in the industry framework are tied into their audit program. If internal audit is leveraging a framework that has specific requirements, it can develop testing strategies to ascertain whether the current controls are meeting these requirements. If the purpose of the audit is to assess the organization's level of cybersecurity maturity, testing strategies will need to incorporate the framework's various maturity components to determine the measurability and repeatability of the key controls.
The good news is the current cybersecurity frameworks have the necessary details to help drive these assessments. In certain instances, internal auditors will need to judge whether the correct ratings are being reported. In an organization with strict risk and control requirements, management may find it more meaningful for internal audit to assess the maturity level of the security organization and identify any potential security gaps. This can determine whether the organization is meeting its cybersecurity goals.
Organizations that have recently implemented a more formal security department can use a framework that has specific requirements to develop a benchmark for the new function. This benchmark can help the organization begin meeting the baseline maturities of the other frameworks before internal audit performs a detailed maturity assessment.
Validating Cyber Controls
Basing their internal audit work on a cybersecurity framework can enable internal auditors to understand their organization's security landscape and validate that appropriate controls are in place to protect the organization. Moreover, it can enable regulators to leverage internal audit's knowledge and workpapers in assessing whether the organization complies with cybersecurity regulations.
After reviewing different frameworks, internal auditors can identify new cybersecurity requirements and explain in detailed steps how the organization can reach a higher level of cybersecurity maturity. Additionally, by performing an extensive cybersecurity review, auditors can have more meaningful conversations with senior management in the audit, information security, and IT functions to address cybersecurity risks and controls.