FEATURE FEATURE

How Effective Is Your

Cybersecurity Audit?

C
ybersecurity is becoming an increasingly
important focus for organizations, and the
COVID-19 pandemic has only accentuated
cyberrisk for every type of enterprise
through telecommuting, the expansion of work
environments with videoconferencing software, and
the addition of personal devices and private WiFi
networks to an organization’s systems.1 In 2022,
cybersecurity has topped the list as a critical risk in
the European Confederation of Institutes of Internal
Auditing’s (ECIIA’s) 2022 Risk in Focus report2 and
The Institute of Internal Auditor’s (IIA’s) OnRisk
2022 report3 for the fifth time. One of the most
comprehensive risk studies from the World Economic
Forum has also recognized cybersecurity as a top
risk for several years.4 Strikingly, the OnRisk 2022
report notes that the most significant gap in internal
audit competencies is related to cybersecurity. This
led to an investigation into how effectively internal
auditors can provide assurance about cybersecurity
risk management.5

M AT E J D R AŠČ E K | PH.D., CSX-F, CFSA, CIA, CRMA

Is a chief audit executive for a regional retail bank in Slovenia. In addition to having served as a lecturer for several universities and
faculties, he has published numerous professional and scientific articles on internal audit, human resources, business ethics and
strategic management internationally. Drašček has spoken at numerous domestic and international conferences, presenting new
tools and insights in internal audit, strategic management and ethics. He won The Institute of Internal Auditors’ (IIA’s) William S. Smith
Award for the highest score on the Certified Internal Auditor (CIA) exam and The IIA’s John B. Thurston Award for the best article about
business ethics. He is the president of The IIA Slovenia.

S E RG E JA S L A PN I ČA R

Is an associate professor of accounting at the University of Queensland’s Business School (Brisbane, Australia). She researches
the effects of accountability, performance measurement and incentivizing on various employee and organizational outcomes. Her
research has been published in top accounting journals. She has extensive board experience through her service as a nonexecutive
director for various public organizations. She has worked extensively with the Slovenian Directors Association and has trained more
than 1,000 nonexecutive directors in accounting and finance.

TI N A V U KO

Is a professor in the department of accounting and auditing at the Faculty of Economics, Business and Tourism at the University of
Split (Split, Croatia). Her research primarily investigates the role of internal and external auditing in enterprise governance, financial
reporting quality and related regulatory environment. She has published more than 30 research papers and participated in a significant
number of academic and professional conferences. She is an active member of the European Accounting Association (EAA) and
Croatian Association of Accountants and Financial Professionals.

M A R KO Č U L A R

Is an assistant professor in accounting and auditing at the Faculty of Economics, Business and Tourism at the University of Split
(Split, Croatia). He researches cooperation between internal and external audit, effectiveness of audit committees, application of
International Financial Reporting Standard (IFRS) 9: financial instruments, and annual report disclosure quality. He is an active lecturer
at several international professional workshops in the field of accounting and auditing, the leader of several professional projects,
and a member of the supervisory board of a utility enterprise. He is a member of The Institute of Internal Auditors (IIA), the European
Confederation of Institutes of Internal Auditing (ECIIA) and the European Accounting Association (EAA)

© 2022 ISACA. All rights reserved. www.isaca.org VOLUME 3 | 2022 ISACA JOURNAL 1
 Planning
The planning phase has three major steps that an
internal auditor must consider:

1. Creating strategic plans and understanding

stakeholders’ expectations—Here the internal
auditor needs to analyze industry trends in
cybersecurity risk management, identify and
communicate emerging cybersecurity risk to top
management, and engage in a forward-looking
discussion of cybersecurity threats and risk with
management and the board or the audit committee
to understand their expectations. However, this step
is frequently ignored by auditors.6
2. Making an initial risk assessment—This step
A quiz can be used to score cybersecurity audit directs the cybersecurity audit engagement. It
effectiveness. Enterprises can then use the results to includes identifying the enterprise’s most valuable
compare their cyberaudit effectiveness scores with digital assets (the crown jewels) and the levels
an entire sample, region or industry. A proposed quiz of protection they warrant based on their value
has been developed and its effectiveness is analyzed to the enterprise. The auditor should assess the
herein based on pilot results. vulnerability of identified key digital assets and the
likely impact if these digital assets are stolen or
What Does It Take to Get a compromised. All this can be done in cooperation
Perfect Score? with the first and second lines (of defense)7 in
cyberrisk management: the IT team and chief
Every internal audit has three interdependent
information officer (CIO) or a similar function.8
phases: planning, performing the engagement and
reporting findings. 3. Defining audit criteria—This step defines the
criteria against which internal auditors audit.
The quiz provides a subscore for each of three If the enterprise uses international standards
phases to show which areas need improvement for mapping and measuring cybersecurity risk
(figure 1). If an enterprise performs well in all three management processes, such as International
phases, its score could approach 100 (a perfect Organization for Standardization (ISO)/
score). Scores depend on several factors, such as the International Electrotechnical Commission (IEC)
enterprise’s risk appetite and exposure. The higher standard ISO/IEC 27001 Information Security
the score, the more the internal audit contributes to Management, COBIT®, and US National Institute
the maturity of cybersecurity risk management. of Standards and Technology (NIST) standards,
they represent the audit criteria. Other options
include the Center for Internet Security (CIS) Top
FIGURE 1
20, US Federal Financial Institutions Examination
The Composition of the Quiz Score Council (FFIEC) Cybersecurity Assessment Tool
Planning Performing Reporting and the Committee of Sponsoring Organizations
(40 percent) (40 percent) (20 percent) of the Treadway Commission (COSO) Enterprise
• Proactiveness • Areas of • Frequency of Risk Management (ERM) for Cybersecurity
and strategic review and reporting
planning testing framework, and self-developed standards. Using
• Overall
• Initial risk • Audit opinion about such standards is advisable because they are
assessment procedures cybersecurity developed in several iterations by professional
used
• Cybersecurity associations and numerous experts.
framework • Cybersecurity
criteria tolls checked

2 ISACA JOURNAL VOLUME 3 | 2022 © 2022 ISACA. All rights reserved. www.isaca.org
Performing the Engagement
During the performing-the-engagement phase,
auditors review internal controls. The first step is
to define the areas of assurance activities and test
internal controls put in place by the first two lines to
manage cyberrisk. The quiz uses 12 areas proposed
by the Association of Healthcare Internal Auditors
(AHIA) and Deloitte.9 These 12 areas are:
1. Cyberrisk management
2. Software security
3. Data protection
4. Cloud security
5. Identity and access management
6. Third-party management
7. Infrastructure security
8. Workforce management
9. Threat and vulnerability management
10. Monitoring
11. Crisis management
12. Enterprise resilience
13. Including business continuity planning
To check how well auditors audit these areas, the
quiz adopted the logic of the International Standard
on Auditing (ISA) 500 Audit Evidence, under which
reperformance of controls provides the highest level
of assurance, and inquiry―that is, interviewing the
managers involved―the lowest level of assurance.
A combination of methods (inquiry, observation,
inspection and analytical procedures) ensures
a better score. If the internal audit function uses
reperformance as the standard, that guarantees the
highest score in that part of the quiz.
The second step is to check the cybersecurity
tools an enterprise uses and determine how well
they perform. These tools can be network security
monitoring tools, encryption tools, web vulnerability
scanning tools, network defense wireless tools,
packet sniffers, antivirus software, firewalls, public
key infrastructure (PKI) services, social engineering
tools, managed detection services, penetration
testing, intrusion detection systems and endpoint
protection.10 The more tools that auditors checked,
the higher the quiz score.
© 2022 ISACA. All rights reserved. www.isaca.org
“Because of rapid changes in environments
and enterprises, it is also important to consider
how often findings related to cybersecurity risk
management are reported to senior management
and the BoD.”
Reporting
Reporting the findings to the auditees and the board
of directors (BoD) is the last phase of an effective
cyberaudit. Although the leave-it-to-IT logic still prevails
in many boardrooms, the BoD is ultimately accountable
for overseeing cybersecurity risk, and auditors can
significantly help the BoD exercise its oversight. The
auditors’ report to the BoD should be accurate, objective,
constructive, complete and timely (International
Professional Practices Framework [IPPF] Standard 2420
Quality of Communications11). This can be achieved
by issuing an overall opinion about cybersecurity risk
management that gives the BoD a reasonable assurance
of the effectiveness of such management. Because
of rapid changes in environments and enterprises, it is
also important to consider how often findings related to
cybersecurity risk management are reported to senior
management and the BoD. The provision of an overall
opinion and a higher reporting frequency led to a higher
score on the quiz.
International Sample Findings
The quiz was distributed among the members of 19
IIA affiliates, three ISACA® chapters in Europe and
one ISACA chapter in the United States via monthly
newsletters and emails. One hundred eighty-three
participants completed it, and the scores were
analyzed. The demographics reveal a significant
polarization of competencies. Although almost half
(48 percent) of the respondents have the Certified
Information Systems Auditor® (CISA®) certification or
multiple certifications related to cybersecurity and IT,
40 percent of the participating internal audit functions
(IAFs) have no auditors with professional certification
(figure 2), 31 percent of auditors have no experience
performing cybersecurity audits and 41 percent of
IAFs have no IT auditors. To make up for the lack of
in-house skills and to obtain reliable benchmarks,
VOLUME 3 | 2022 ISACA JOURNAL 3
 FIGURE 2
Certifications of Participants
Certification Percent
None 40.4
Certified Information Systems Auditor® 48.1
(CISA®)
Systems Security Certified Practitioner 0.5
(SSCP)
Certified Information Systems Security 7.1
Professional (CISSP)
Certified Information Security Manager® 12.6
(CISM®)
Certified in Risk and Information Systems 8.7
Control® (CRISC®)
Certified Information Privacy Professional 0
(CIPP)
Certified Ethical Hacker (CEH) 2.2
CompTIA Security+ 1.1
NIST Cybersecurity Framework (CSF) 1.6
Certified Cloud Security Professional 0 The respondents achieved a mean score of 57.9;
(CCSP)
Computer Hacking Forensic Investigator 0 percent of respondents scored higher than 61,
(CHFI)
Cisco Certified Network Associate 1.1
Security (CCNA)
Other IT certification 16.9
20 percent of participants fully outsource
cybersecurity audits and 65 percent cosource
audits with external providers.
Almost one-third of the respondents come from the
financial sector, one of the most highly regulated
sectors for risk management in general and for
cybersecurity risk management in particular.
Eighty-two percent of respondents indicated that
their enterprises use one or more cybersecurity
frameworks in developing cybersecurity audit plans.
Predominantly, they rely on ISO 27001 and ISO 27002
(53 percent), COBIT (40 percent), or NIST
(28 percent). Some enterprises (16 percent) use
partly self-developed frameworks that are based on
these three frameworks (figure 3). Most auditors
(62 percent) assessed their enterprise’s maturity level
as moderate (3).
4 ISACA JOURNAL VOLUME 3 | 2022
FIGURE 3
Cybersecurity Frameworks Used
Framework Percent
COBIT 40.4
NIST CSF 28.4
ISO 27001 and ISO 27002 53.0
CIS Top 20 1.6
FFIEC Cybersecurity Assessment Tool 0.5
American Institute of Certified Public 8.2
Accountants (AICPA) Trust Service
Criteria
COSO ERM for Cybersecurity 9.3
A completely self-developed framework 8.7
A partly self-developed framework based 16.4
on one or more of the listed frameworks
Other 8.7
No framework used 18.0
however, the variation was high. As many as 51
indicating a high audit effectiveness level. Looking
at the individual phases, the planning phase had the
highest mean score (64), followed by the reporting
and the performing phases with means of 55 and 54,
respectively. However, the results showed that neither
the planning and reporting phases nor the performing
and reporting phases were strongly correlated.
This suggests that even those auditors who do
not perform the planning or performing phases
effectively still provide the board with an overall
opinion about risk management.
There are considerable differences between regions and
sectors. Not surprisingly, the IT and telecommunications
and financial sectors have the highest scores, with IT
and telecommunications ranking significantly higher
(75) than any other sector (figure 4). Although Australia,
New Zealand and Western Europe have the highest
scores among regions, the differences among regions
are not significant because variation within each region
is large.
© 2022 ISACA. All rights reserved. www.isaca.org
FIGURE 4
Cybersecurity Audit Score by Industry
Industry Score
IT and Telecommunications Services 74.97
Financial Services 66.05
Public Administration 58.05
Other 54.38
Manufacturing 48.20
Healthcare, Education and Other 45.95
Professional Services
Inspection is the most frequently used procedure
for testing cybersecurity controls, followed by
inquiry and observation; analytical procedures and
reperformance are not used frequently. Twenty-five
percent of respondents indicated that they do not
check any cybersecurity tool, and 75 percent check
one or more cybersecurity tools in an audit cycle.
Forty-three percent of the IAFs report to the BoD
annually, and 14 percent report their findings
quarterly or at every committee meeting. Thirteen
percent of respondents do not report any findings to
the BoD.
Increasing Cybersecurity Audit
Effectiveness
Once a score has been determined, auditors can use
that score to dictate next steps for the organization
to improve its cybersecurity audit processes and,
thus, increase its score. There are several best
practices internal auditors can follow to increase their
cybersecurity audit effectiveness, including:
• Upskill—One factor that can significantly increase
audit effectiveness is increasing internal auditors’
competencies by encouraging and helping them
to get certified. As reported, the most popular
certification in the sample is the CISA credential.
Cybersecurity audits require specialized knowledge
and skills that only upskilling can provide.
• Cosource or outsource, but stay in control—If
IAF competencies are not quite satisfactory, co- or
outsourcing can be helpful to achieve benchmarks.
In the case of cosourcing, internal auditors
should combine the results of various external
audits to create an overall opinion and stay on
top of reporting, because only they know whether
© 2022 ISACA. All rights reserved. www.isaca.org
cybersecurity risk management is integrated
with enterprise risk management or is an
isolated endeavor.
• Engage in all three audit phases—There should
be a strong correlation among all three phases
of the audit in terms of how thoroughly they are
performed. A lack of good planning has severe
implications for the performing-the-engagement
and reporting phases. Understandably, an audit of
a large number of controls will be spread out over
multiple years, but the most pertinent risk factors
should be identified and prioritized to provide a
comprehensive picture of the effectiveness of
cybersecurity risk management in the year
of reporting. LO O K I N G F O R
M O R E?
• Cooperate with the first and second lines—Even
though an independent internal audit is important, • Read Reporting
it should not be isolated from the other two lines, as Cybersecurity Risk to the
suggested by the new three-line IIA model.12 Research Board of Directors.
has found that cooperation among the three lines www.isaca.org/
has very positive results on the effectiveness of reporting-cyberrisk-
cybersecurity risk management.13 Only 8 percent of to-bod
respondents indicated that they cooperate intensively
• Learn more about,
with the first and second lines in determining risk
discuss and collaborate
and dividing assurance activities. Forty-two percent
on information and
of respondents do not have an assurance plan, and
cybersecurity in
17 percent do not cooperate at all with the first and
ISACA’s Online Forums.
second lines. Using assurance mapping to delineate
https://engage.isaca.org/
the duties of each line contributes to more efficient
onlineforums
use of limited internal audit and IT department
resources. Assurance mapping helps formalize in-
depth and ongoing cooperation.
Conclusion
Cybersecurity is an ever-increasing priority, and
organizations need to be able to measure their
cybersecurity audit effectiveness to understand how
best to move forward and strengthen their cybersecurity
practices. Internal audit is effective if the procedures
of planning, performing and reporting on audit findings
on cybersecurity risk management follow standards,
professional guidelines and best practices.
“The results of research show that certifications
in IT audit matter but can be partially offset by
outsourcing cybersecurity audits to third parties.“
VOLUME 3 | 2022 ISACA JOURNAL 5
 The results of research show that certifications in IT 6 Agrawal, T.; “Nine Mistakes That Internal Auditors
audit matter but can be partially offset by outsourcing Make,” The IIA Netherlands, 16 January 2017,
cybersecurity audits to third parties. Also, internal https://www.iia.nl/actualiteit/nieuws/
auditors should be wary of giving the board an overall 9-mistakes-that-internal-auditors-make
opinion if the planning and performing stages of internal 7 The Institute of Internal Auditors has updated the
audit are not done properly. Ultimately, cybersecurity three lines of defense model and renamed it the
is not just the responsibility of one person or team, it three lines model.
is the responsibility of the entire organization, since 8 Op cit Slapničar et al.
collaboration between internal auditors and other teams 9 Association of Healthcare Internal Auditors
(e.g., operational IT, information security) leads to better (AHIA) and Deloitte, “Cyber Assurance: How
cybersecurity risk management. Internal Audit, Compliance and Information
Technology Can Fight the Good Fight Together,”
USA, https://ahia.org/assets/Uploads/pdfUpload/
Endnotes
WhitePapers/CyberAssuranceWhitePaper.pdf
1 Sharton, B. R.; “Will Coronavirus Lead to More
10 Mutune, G.; “Twenty-Seven Top Cybersecurity
Cyber Attacks?” Harvard Business Review,
Tools for 2020,” Cyber Experts, 31 December
16 March 2020, https://hbr.org/2020/03/
2021, https://cyberexperts.com/cybersecurity-
will-coronavirus-lead-to-more-cyber-
tools/
attacks?autocomplete=true
11 The Institute of Internal Auditors (IIA),
2 European Confederation of Institutes of Internal
“Implementation Guidance,” https://www.theiia.org/
Auditing (ECIIA), 2022 Risk in Focus: Hot
en/standards/what-are-the-standards/
Topics for Internal Auditors, Brussels,
recommended-guidance/implementation-
2022, https://www.eciia.eu/wp-content/
guidance/
uploads/2021/09/FINAL-Risk-in-Focus-
12 The Institute of Internal Auditors (IIA), The IIA’s
2022-V11.pdf
Three Lines Model: An Update of the Three Lines
3 The Institute of Internal Auditors (IIA),
of Defense, July 2020, https://www.theiia.org/
OnRisk 2022: A Guide to Understanding,
globalassets/documents/resources/the-iias-
Aligning, and Optimizing Risk, USA,
three-lines-model-an-update-of-the-three-lines-of-
2022, http://theiia.mkt5790.com/
defense-july-2020/three-lines-model-updated.pdf
OnRisk2022/?webSyncID=201dc9eb-b435-9048-
13 Steinbart, P. J.; R. L. Raschke; G. Gal; W. N. Dilla;
2cb7-ea0e42c9b620&sessionGUID=3abc53b6-
“The Influence of a Good Relationship Between
5e13-0534-1bde-ab510202bd42
the Internal Audit and Information Security
4 World Economic Forum (WEF), The Global Risks
Functions on Information Security Outcomes,”
Report 2021, 16th Edition, Switzerland, 2021,
Accounting, Organizations and Society, vol. 71,
https://www3.weforum.org/docs/WEF_The_
p. 15–29, November 2018, https://doi.org/10.1016/
Global_Risks_Report_2021.pdf
j.aos.2018.04.005
5 Slapničar S.; T. Vuko; M. Čular; M. Drašček;
“Effectiveness of Cybersecurity Audit,”
International Journal of Accounting Information
Systems, 15 January 2022, https://doi.org/
10.1016/j.accinf.2021.100548

6 ISACA JOURNAL VOLUME 3 | 2022 © 2022 ISACA. All rights reserved. www.isaca.org