New guidance announced by the U.S. Securities and Exchange Commission last week is raising the bar on how publicly traded companies report on their handling of one of the top challenges facing every organization — cybersecurity.
The new cyber-risk guidance, an evolution of guidance first released by the regulator in 2011, boosts reporting requirements in various ways, from disclosures about board involvement in cyber-risk oversight to enhancing internal reporting procedures that more effectively determine when cyber issues rise to the level of materiality and, therefore, should be reported publicly. The new guidelines inevitably will create new compliance challenges and, with that, additional need for internal audit to provide assurance on those compliance efforts.
The new U.S. rules, along with the upcoming deadline to meet strict European Union guidelines on data protection, are high-profile examples of where internal audit can provide important assurance on information technology (IT).
But it is important, indeed crucial, for organizations to understand that management of cyber risks and data protection are only part of the overall IT governance picture and that internal audit can and should play a larger role than simply acting as the cybersecurity police.
A recently published IIA Global Technology Audit Guide (GTAG) provides direction and insight on internal audit's approach to auditing IT governance. The GTAG's executive summary captures the benefits of strong IT governance and describes how proper IT governance can help organizations achieve their goals.
From the GTAG executive summary:
"Effective IT governance contributes to control efficiency and effectiveness, and allows the organization's investment in IT to realize both financial and nonfinancial benefits. Often when controls are poorly designed or deficient, a root cause is weak or ineffective IT governance."
The benefits of effective IT governance are significant. In addition to aligning IT strategies with organizational objectives, it helps identify and properly manage risks; optimizes IT investments to deliver value; defines, measures, and reports on IT performance using meaningful metrics; and helps manage IT resources.
Sound IT governance helps organizations address IT challenges, such as the growing complexity of IT environments, growing use of data to make business decisions, and, as previously discussed, the growing number of laws and regulations associated with the threat of cyberattacks.
As with all governance issues, internal audit is uniquely positioned to give management and the board a clear-eyed assessment on the effectiveness and efficiency of the processes and structures that make up IT governance.
The GTAG provides valuable insights on how responsibilities of multiple governance structures within the organization can overlap. For example, corporate governance oversees conformance processes and is involved in compliance and business governance oversees performance processes.
The key is for internal audit to examine — and to help management and the board understand — the interplay among all three governance structures and not view IT governance as somehow separate and apart. A key message from the GTAG captures this well:
"Alignment of organizational objectives and IT is more about governance and less about technology. Governance assures alternatives are evaluated, execution is appropriately directed, and risk and performance are monitored."
The GTAG provides internal auditors the tools and techniques to build work programs and perform engagements involving IT governance. These include a step-by-step description of engagement planning, from understanding the context and purpose of the engagement to reporting results. Additionally, five appendices provide related IIA standards and guidance, a glossary of key terms, a sample internal controls questionnaire, a risk and controls matrix, and a list of additional resources.
It is important to emphasize that having a well-developed IT governance audit program in place will help integrate IT into the overall governance strategy and take the mystery out of IT, which often contributes to poor IT controls. It also will help position organizations to respond quickly and efficiently to changes in regulations or IT-related risks.
The current scramble to meet upcoming European Union rules on data protection suggest that not enough organizations are taking a comprehensive approach to IT governance. Indeed, those troubles were clearly reflected in an August survey by DocsCorp, reported in The Current State of GDPR Readiness. The survey found 43 percent of respondents from Europe and the United Kingdom identified financial penalties for noncompliance as their biggest concern with the new rules. In Canada and the United States, the survey found 73 percent of respondents had yet to start preparing for the new rules and 54 percent were unaware of the May 25 compliance deadline.
I encourage every chief audit executive to download and review the new GTAG and discuss IT governance with their management and boards. Providing an accurate and unbiased assessment of how IT operates within the organization is another example of where internal audit can add value and help organizations achieve their goals.
As always, I look forward to your comments.