Professional Documents
Culture Documents
How Effective Is Your Cybersecurity Audit - Joa - Eng - 0522
How Effective Is Your Cybersecurity Audit - Joa - Eng - 0522
How Effective Is Your Cybersecurity Audit - Joa - Eng - 0522
C
ybersecurity is becoming an increasingly The Institute of Internal Auditor’s (IIA’s) OnRisk
important focus for organizations, and the 2022 report3 for the fifth time. One of the most
COVID-19 pandemic has only accentuated comprehensive risk studies from the World Economic
cyberrisk for every type of enterprise Forum has also recognized cybersecurity as a top
through telecommuting, the expansion of work risk for several years.4 Strikingly, the OnRisk 2022
environments with videoconferencing software, and report notes that the most significant gap in internal
the addition of personal devices and private WiFi audit competencies is related to cybersecurity. This
networks to an organization’s systems.1 In 2022, led to an investigation into how effectively internal
cybersecurity has topped the list as a critical risk in auditors can provide assurance about cybersecurity
the European Confederation of Institutes of Internal risk management.5
Auditing’s (ECIIA’s) 2022 Risk in Focus report2 and
Is a chief audit executive for a regional retail bank in Slovenia. In addition to having served as a lecturer for several universities and
faculties, he has published numerous professional and scientific articles on internal audit, human resources, business ethics and
strategic management internationally. Drašček has spoken at numerous domestic and international conferences, presenting new
tools and insights in internal audit, strategic management and ethics. He won The Institute of Internal Auditors’ (IIA’s) William S. Smith
Award for the highest score on the Certified Internal Auditor (CIA) exam and The IIA’s John B. Thurston Award for the best article about
business ethics. He is the president of The IIA Slovenia.
S E RG E JA S L A PN I ČA R
Is an associate professor of accounting at the University of Queensland’s Business School (Brisbane, Australia). She researches
the effects of accountability, performance measurement and incentivizing on various employee and organizational outcomes. Her
research has been published in top accounting journals. She has extensive board experience through her service as a nonexecutive
director for various public organizations. She has worked extensively with the Slovenian Directors Association and has trained more
than 1,000 nonexecutive directors in accounting and finance.
TI N A V U KO
Is a professor in the department of accounting and auditing at the Faculty of Economics, Business and Tourism at the University of
Split (Split, Croatia). Her research primarily investigates the role of internal and external auditing in enterprise governance, financial
reporting quality and related regulatory environment. She has published more than 30 research papers and participated in a significant
number of academic and professional conferences. She is an active member of the European Accounting Association (EAA) and
Croatian Association of Accountants and Financial Professionals.
M A R KO Č U L A R
Is an assistant professor in accounting and auditing at the Faculty of Economics, Business and Tourism at the University of Split
(Split, Croatia). He researches cooperation between internal and external audit, effectiveness of audit committees, application of
International Financial Reporting Standard (IFRS) 9: financial instruments, and annual report disclosure quality. He is an active lecturer
at several international professional workshops in the field of accounting and auditing, the leader of several professional projects,
and a member of the supervisory board of a utility enterprise. He is a member of The Institute of Internal Auditors (IIA), the European
Confederation of Institutes of Internal Auditing (ECIIA) and the European Accounting Association (EAA)
© 2022 ISACA. All rights reserved. www.isaca.org VOLUME 3 | 2022 ISACA JOURNAL 1
Planning
The planning phase has three major steps that an
internal auditor must consider:
2 ISACA JOURNAL VOLUME 3 | 2022 © 2022 ISACA. All rights reserved. www.isaca.org
Performing the Engagement
During the performing-the-engagement phase, “Because of rapid changes in environments
auditors review internal controls. The first step is
to define the areas of assurance activities and test and enterprises, it is also important to consider
internal controls put in place by the first two lines to
how often findings related to cybersecurity risk
manage cyberrisk. The quiz uses 12 areas proposed
by the Association of Healthcare Internal Auditors management are reported to senior management
(AHIA) and Deloitte.9 These 12 areas are:
and the BoD.”
1. Cyberrisk management
2. Software security
© 2022 ISACA. All rights reserved. www.isaca.org VOLUME 3 | 2022 ISACA JOURNAL 3
FIGURE 2 FIGURE 3
Certifications of Participants Cybersecurity Frameworks Used
Certified Information Systems Security 7.1 FFIEC Cybersecurity Assessment Tool 0.5
Professional (CISSP)
American Institute of Certified Public 8.2
Certified Information Security Manager® 12.6 Accountants (AICPA) Trust Service
(CISM®) Criteria
Certified in Risk and Information Systems 8.7 COSO ERM for Cybersecurity 9.3
Control® (CRISC®)
A completely self-developed framework 8.7
Certified Information Privacy Professional 0
A partly self-developed framework based 16.4
(CIPP)
on one or more of the listed frameworks
Certified Ethical Hacker (CEH) 2.2
Other 8.7
CompTIA Security+ 1.1
No framework used 18.0
NIST Cybersecurity Framework (CSF) 1.6
Certified Cloud Security Professional 0 The respondents achieved a mean score of 57.9;
(CCSP)
however, the variation was high. As many as 51
Computer Hacking Forensic Investigator 0 percent of respondents scored higher than 61,
(CHFI)
indicating a high audit effectiveness level. Looking
Cisco Certified Network Associate 1.1 at the individual phases, the planning phase had the
Security (CCNA) highest mean score (64), followed by the reporting
Other IT certification 16.9 and the performing phases with means of 55 and 54,
respectively. However, the results showed that neither
20 percent of participants fully outsource the planning and reporting phases nor the performing
cybersecurity audits and 65 percent cosource and reporting phases were strongly correlated.
audits with external providers. This suggests that even those auditors who do
not perform the planning or performing phases
Almost one-third of the respondents come from the effectively still provide the board with an overall
financial sector, one of the most highly regulated opinion about risk management.
sectors for risk management in general and for
cybersecurity risk management in particular. There are considerable differences between regions and
Eighty-two percent of respondents indicated that sectors. Not surprisingly, the IT and telecommunications
their enterprises use one or more cybersecurity and financial sectors have the highest scores, with IT
frameworks in developing cybersecurity audit plans. and telecommunications ranking significantly higher
Predominantly, they rely on ISO 27001 and ISO 27002 (75) than any other sector (figure 4). Although Australia,
(53 percent), COBIT (40 percent), or NIST New Zealand and Western Europe have the highest
(28 percent). Some enterprises (16 percent) use scores among regions, the differences among regions
partly self-developed frameworks that are based on are not significant because variation within each region
these three frameworks (figure 3). Most auditors is large.
(62 percent) assessed their enterprise’s maturity level
as moderate (3).
4 ISACA JOURNAL VOLUME 3 | 2022 © 2022 ISACA. All rights reserved. www.isaca.org
FIGURE 4 cybersecurity risk management is integrated
Cybersecurity Audit Score by Industry with enterprise risk management or is an
isolated endeavor.
© 2022 ISACA. All rights reserved. www.isaca.org VOLUME 3 | 2022 ISACA JOURNAL 5
The results of research show that certifications in IT 6 Agrawal, T.; “Nine Mistakes That Internal Auditors
audit matter but can be partially offset by outsourcing Make,” The IIA Netherlands, 16 January 2017,
cybersecurity audits to third parties. Also, internal https://www.iia.nl/actualiteit/nieuws/
auditors should be wary of giving the board an overall 9-mistakes-that-internal-auditors-make
opinion if the planning and performing stages of internal 7 The Institute of Internal Auditors has updated the
audit are not done properly. Ultimately, cybersecurity three lines of defense model and renamed it the
is not just the responsibility of one person or team, it three lines model.
is the responsibility of the entire organization, since 8 Op cit Slapničar et al.
collaboration between internal auditors and other teams 9 Association of Healthcare Internal Auditors
(e.g., operational IT, information security) leads to better (AHIA) and Deloitte, “Cyber Assurance: How
cybersecurity risk management. Internal Audit, Compliance and Information
Technology Can Fight the Good Fight Together,”
USA, https://ahia.org/assets/Uploads/pdfUpload/
Endnotes
WhitePapers/CyberAssuranceWhitePaper.pdf
1 Sharton, B. R.; “Will Coronavirus Lead to More
10 Mutune, G.; “Twenty-Seven Top Cybersecurity
Cyber Attacks?” Harvard Business Review,
Tools for 2020,” Cyber Experts, 31 December
16 March 2020, https://hbr.org/2020/03/
2021, https://cyberexperts.com/cybersecurity-
will-coronavirus-lead-to-more-cyber-
tools/
attacks?autocomplete=true
11 The Institute of Internal Auditors (IIA),
2 European Confederation of Institutes of Internal
“Implementation Guidance,” https://www.theiia.org/
Auditing (ECIIA), 2022 Risk in Focus: Hot
en/standards/what-are-the-standards/
Topics for Internal Auditors, Brussels,
recommended-guidance/implementation-
2022, https://www.eciia.eu/wp-content/
guidance/
uploads/2021/09/FINAL-Risk-in-Focus-
12 The Institute of Internal Auditors (IIA), The IIA’s
2022-V11.pdf
Three Lines Model: An Update of the Three Lines
3 The Institute of Internal Auditors (IIA),
of Defense, July 2020, https://www.theiia.org/
OnRisk 2022: A Guide to Understanding,
globalassets/documents/resources/the-iias-
Aligning, and Optimizing Risk, USA,
three-lines-model-an-update-of-the-three-lines-of-
2022, http://theiia.mkt5790.com/
defense-july-2020/three-lines-model-updated.pdf
OnRisk2022/?webSyncID=201dc9eb-b435-9048-
13 Steinbart, P. J.; R. L. Raschke; G. Gal; W. N. Dilla;
2cb7-ea0e42c9b620&sessionGUID=3abc53b6-
“The Influence of a Good Relationship Between
5e13-0534-1bde-ab510202bd42
the Internal Audit and Information Security
4 World Economic Forum (WEF), The Global Risks
Functions on Information Security Outcomes,”
Report 2021, 16th Edition, Switzerland, 2021,
Accounting, Organizations and Society, vol. 71,
https://www3.weforum.org/docs/WEF_The_
p. 15–29, November 2018, https://doi.org/10.1016/
Global_Risks_Report_2021.pdf
j.aos.2018.04.005
5 Slapničar S.; T. Vuko; M. Čular; M. Drašček;
“Effectiveness of Cybersecurity Audit,”
International Journal of Accounting Information
Systems, 15 January 2022, https://doi.org/
10.1016/j.accinf.2021.100548
6 ISACA JOURNAL VOLUME 3 | 2022 © 2022 ISACA. All rights reserved. www.isaca.org