Organizations are moving gingerly into the post-pandemic world with a heightened focus on cybersecurity, with overall cybersecurity spending projected to grow as much as 10% this year, according to IT research firm Canalys. Regulators — already concerned about cybersecurity — have ratcheted up their oversight, vividly illustrated by the U.S. Office of the Comptroller of the Currency's $80 million fine against Capital One last year (see "Capital One Data Breach" below). In fact, cybersecurity was one of the top-ranked risks identified by board members, management, and chief audit executives (CAEs) in The IIA's OnRisk 2021 report.
In this environment, internal audit, as part of its oversight function, has a critical role of helping organizations manage cyber threats by evaluating risks and providing an independent assessment of controls. In turn, this role has spurred the need for cybersecurity skills in internal audit functions.
The heightened concern around cybersecurity has inevitably increased the demand for suitably experienced auditors, says Jamie Burbidge, founder of Bickham Montgomery, a London-based internal audit recruiting firm. "Due to cybersecurity being a relatively recent concern for business leaders, the number of internal auditors at the senior level with relevant experience is quite small," he noted. At present, potential internal audit hires who have the experience and a good grasp of cybersecurity likely are coming from the Big Four accounting firms at slightly more junior levels.
Regardless of the talent source, experts point to several skills and qualifications to look for when hiring. They also cite the importance of soft competencies, the need to plan ahead for resource needs, and the advantages of developing skills internally.
The Right Expertise
Shawna Flanders, director, IT Curriculum Development, at The IIA, says two general skills are important for internal auditors who will be involved in cybersecurity audits: data analysis capabilities and critical thinking. "Deploying critical thinking skills gives auditors the ability to determine how a cyber threat in the wild could impact their organization," Flanders says. Plus, they need to be able to use data to discover unusual activity, inappropriate access, and fraud, and possess a broad understanding of IT general controls as well as application, network, and information security controls, she adds.
In addition, practitioners need to have a deep understanding of relevant threats, such as malware, ransomware or spyware, denials of service, phishing, and password attacks. Given the demands, internal audit functions should consider building dedicated expertise on their team, says Jim Enstrom, senior vice president and CAE at Cboe Global Markets of Chicago. The type of person who can fill this role probably has come up through a technology, cybersecurity, or consulting background, rather than internal audit, he adds.
Ongoing training and an emphasis on more technical cybersecurity-related certifications should also be a focus area, Enstrom says. Certifications demonstrate a basic level of aptitude and indicate that a person is motivated for self-improvement and self-learning. The IIA offers several seminars on IT topics, including cybersecurity, as well as more than a dozen IT courses on-demand. In mid-July, The Institute launched its IT General Controls Certificate, demonstrating the certificate holder's ability to assess IT risks and controls.
In addition, more universities are offering advanced degrees in cybersecurity, in which students also are learning the principles of assurance, as well as how to evaluate controls and risk. For example, the University of Central Florida in Orlando, which offers a certificate in cybersecurity, will begin offering a master's degree in cybersecurity and privacy this fall that will include a technical track covering topics such as hardware, software, and security, and an interdisciplinary track that addresses the human aspects of cyberattacks. These types of programs are an opportunity for recruiting, Enstrom says.
Robert Berry, former executive director of internal audit at the University of South Alabama and now president of consulting firm That Audit Guy, says hands-on experience in cybersecurity is important in considering a hire. Berry says he would look for someone experienced in technology, especially with experience in how networks operate and are secured. "You want to look for somebody who is actively engaged and involved in the craft," he adds — the kind of person who builds his or her own network and tinkers with it, and who is active in chat rooms and forums.
|Capital One Data Breach|
The U.S. federal government's enforcement actions against Capital One in August 2020, which included an $80 million fine from the Office of the Comptroller of the Currency (OCC), illustrates its increased oversight of cybersecurity issues. The actions stemmed from a 2019 cyberattack that stole the personal information of about 100 million individuals. The OCC fine was the first significant penalty against a bank in connection with a data breach or alleged failure to comply with OCC guidelines. The OCC specifically called out Capitol One's internal audit function, saying it failed to identify numerous control weaknesses and gaps and did not effectively report them to the audit committee.
Training, Sourcing, and Collaboration
Rather than hiring from outside, developing skills internally is sometimes a better option, especially in small- to moderate-size departments, Berry says. That way, the auditor is already familiar with the organization and with the procedures involved in conducting engagements, he explains. This approach also might be advantageous for a small department in an industry that does not pay well, which likely will have a hard time recruiting cybersecurity expertise, Berry adds.
In a midsize department or a midsize organization with a small audit department, audit staff might not have the necessary IT knowledge. Keeping in mind The IIA's
International Standards for the Professional Practice of Internal Auditing, the organization might consider a co-source provider, Enstrom says, adding that training, skill building, and certifications also are important for these departments. In addition, where the
Standards allow, internal audit should consider collaboration with the organization's information security department, he says. Standard 1210: Proficiency, and Standard 2050: Coordination and Reliance, provide guidance in these areas.
Seek Out Soft Skills
"Curiosity is the cornerstone of internal audit," Berry says. "If you can't be curious and ask really good questions, you will fail in your career in audit." Soft skills are probably the most important skills, he says, because a person who possesses them can be taught audit skills. Critical thinking and other soft skills give internal auditors, especially those dealing in a technical area such as cybersecurity, the ability to communicate outside their area and to understand how a cyber threat could affect the organization.
When he started Bickham Montgomery about 10 years ago, Burbidge found that technical proficiency was by far the most sought-after trait for companies when hiring internal auditors. Now, he sees more emphasis on communication skills as part of an internal auditor's role. "You need to be able to communicate, need to be able to persuade, need to be able to partner with the business," he says.
Jeannie Alday, director of Internal Audit for Chatham County, Ga., says in hiring someone with an IT background, she wants to determine whether the candidate will be able to communicate with IT staff, and IT management, but also with county management and others who may have limited background in IT. "Those soft skills are huge, and they're not always easy to spot in the limited interview process," Alday says.
Looking Ahead on Hiring
Given the rapidly changing environment, cyber awareness is fundamental to the execution of an organization's strategy. "In any organization today, cybersecurity is one of the top risks," Enstrom says. In the present environment, boards, management, and other stakeholders need to focus continually on cyber risk and whether their organization has the right skills and resource strategy, he says. Importantly, organizations need to make necessary investments in skills and resources.
Post-pandemic, hiring likely will become more challenging because of pent-up demand, Enstrom says, and demand already exceeds the number of candidates. As a result, audit hiring managers should think more creatively about compensation and other job benefits. He also notes that many cybersecurity professional have had limited exposure to internal auditing and assurance, may see auditing as having limited opportunity for advancement, and might not consider going into the field.
This perception underscores the necessity of selling the opportunities and value proposition of the profession to prospective job candidates. Compared with going directly into information security, internal audit offers the potential for greater diversity of experience and breadth of opportunity — working with senior executives and board members — and exposure to different projects, Enstrom says. Moreover, because of the importance of good communication skills, time spent in internal audit can be a great learning opportunity for someone who is less comfortable in this area.
"Early in a person's career, working in internal audit really represents a great learning opportunity because you have so many different projects you can work on," Enstrom says. "I think we don't sell that enough as a profession."
As another area of focus for hiring, Enstrom emphasized the importance of partnering with outside firms, or organizations that can help with the candidate sourcing process. He highlights one example — the Greenwood Project. "The Greenwood Project is a nonprofit organization dedicated to introducing Black and Latinx students to careers within the financial industry," he says. "We've had success working with Greenwood Project and we continue to look for ways to strengthen our relationship and promote the profession of internal auditing to Greenwood students and diversity candidates. In addition to accounting and business students interested in financial services, we have been working with Greenwood to promote an interest in IT audit, data analytics, and cybersecurity roles in the internal audit profession."
Meanwhile, when recruiting through universities, internal audit functions need to look beyond the accounting and finance departments and build relationships with computer science and cybersecurity programs. "In my experience, many students in computer science or other IT disciplines are unaware of job opportunities in the internal audit profession," Enstrom says. "Given this, it's really important for the company and recruiter to understand and have relationships with faculty and staff in these colleges, not just the business schools."
The bottom line? "You have to offer competitive salaries, and you have to be very clear and crisp in your value proposition — how internal audit will benefit them in their career," Enstrom says. Moreover, companies recruiting in the post-COVID-19 marketplace will need to think more broadly and consider hiring candidates from outside their geographic area.