The Role of Internal Audit in Strengthening Cyber Security
Most people think that security and internal audit are two different fields within the solid structure of a company, so they aren’t related and work in a totally different mechanism. However, it turns out that internal audit can actually play important part in strengthening cyber security, and the accountant doesn’t need to understand the whole technical terms at all.
With the increasing threats in cyber security and more breaches have happened within the past years to not only international companies but the locals as well, internal audit department start to see the possible opportunities of how their expertise can be used in the company’s risk management and assessment. Tom O’Reilly, internal audit director from Analog Devices, claims that most people (especially the auditors) are intimated when they hear IT terms like vulnerability testing, domains, and firewalls – but those terms are just terms, anyhow, and the auditor doesn’t have to be intimated because of it. In fact, most of their works are focusing on the process of the auditing and how to review the entire condition of the company – not just the financial aspect alone. Any auditor with good skills and thorough attention should be able to pull it off; despite the technical jargons here and there.
When the auditor understands the whole concept of the business, the objectives, the strategies, the information the company produces, and what matters the most for them, the auditor can help strengthening the most important aspects and elements of the structure, resulted in better and stronger cyber security. In fact, Richard Chambers, CEO and Presidents from Institute of Internal Auditors, says that cyber security isn’t about IT issue only, but business issue as well.
Internal audit can help through highlighting the privacy risk and data security, as well as identifying control and policies weaknesses. Moreover, internal audit should have continuous monitoring, not just biannual or annual checking event. Once the company manages to combine all these aspects together, they should have better and stronger cyber security.