​Editor's Note: Under Attack

Organizations are poorly prepared to protect themselves against cyberattacks.

Comments Views

​In this issue, we offer a package of articles on the important topic of cybersecurity. As recent incidents such as Colonial Pipeline, JBS, and Kaseya demonstrate, cyberattacks aren’t slowing down. They are becoming more sophisticated and costly — and many organizations are poorly prepared to protect themselves. 

The IIA recently released two Global Technology Audit Guides (GTAGs) that address internal audit’s role in helping protect their companies. Assessing Cybersecurity Risk: The Three Lines Model, released in late 2020, says auditors should assess:

  • Who has access to the organization’s most valuable information?
  • Which assets are most likely to be attacked?
  • Which systems, if compromised, would cause the most significant disruption?
  • Which data, if obtained in an attack, would cause financial or competitive loss, legal ramifications, or reputation damage?

The latest GTAG, Auditing Identity and Access Management (IAM), 2nd edition, digs deeper into information access management. “[IAM] controls are so fundamental to IT governance and the achievement of the organization’s IT-IS strategies and objectives, that the internal audit activity must examine how organizations control access…” the GTAG states. 

Shawn Chaput, a consultant at Privity, a cybersecurity management company, says companies’ increasing reliance on IAM programs has become the most important risk since cloud computing came to prominence. Unfortunately, those measures often fall short, he tells Internal Auditor in “Reining in Cyber Risk.” 

“Internal auditors should be able to evaluate their organizations’ implementation controls over the establishment of — and accountability for — IDs in every significant system,” writes David Petrisky, IIA professional practices director, in his recent InternalAuditor.org blog post, “Identity and Authentication.” Those systems include applications, databases, servers, network management solutions, and other computing and communications infrastructure, he says. 

As technologies continue to evolve and introduce more threats and opportunities, Charlie Wright says internal auditors need to keep up with the pace of change and be ready to address what’s next. Readers can meet the new chairman of The IIA’s Global Board and learn more about his thoughts on technological transformation in “The Future-ready Internal Auditor.” 

Anne Millage
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Anne MillageAnne Millage<p> Anne Millage is editor in chi​ef of <em>Internal Auditor</em> magazine and editorial director at The IIA.​​​</p>https://iaonline.theiia.org/authors/Pages/Anne-Millage.aspx


Comment on this article

comments powered by Disqus
  • AuditBoard-November-2021-Premium-1
  • OnRisk-2022-November-2021-Premium-2
  • 2021-All-Star-Conference-November-2021-Premium-3



Stopwatch Auditinghttps://iaonline.theiia.org/blogs/jacka/2021/Pages/Stopwatch-Auditing.aspxStopwatch Auditing
Thanks, We Already Know Thathttps://iaonline.theiia.org/blogs/jacka/2020/Pages/Thanks-We-Already-Know-That.aspxThanks, We Already Know That
Hidden Goalshttps://iaonline.theiia.org/blogs/jacka/2021/Pages/Hidden-Goals.aspxHidden Goals
Building a Better Auditor: Which Way Should I Go?https://iaonline.theiia.org/blogs/Your-Voices/2021/Pages/Building-a-Better-Auditor-Which-Way-Should-I-Go.aspxBuilding a Better Auditor: Which Way Should I Go?