We understand the specialized markets in which you operate and provide tailored solutions to meet your unique business needs.
Our comprehensive suite of business services combines industry expertise, market knowledge and professional insights.
MNP is a leading national accounting, tax and business consulting firm in Canada.
Suite 2000, 330 5th Ave. S.W.
MNP careers are Different by Design. As an entrepreneurial firm, we truly believe there are no limits to where your career can go.
With data becoming an organization’s most valuable asset, it has also become its most vulnerable. Cyber criminals are continually targeting potential weaknesses in your security stance. Cyber attacks can culminate in an organization suffering costly or irreparable operational, financial and reputational damage.
Just recently we saw a large consumer financial information business suffer a major data breach which impacted over 143 million people and resulted in both its CEO and CISO resigning. Pending results of ongoing investigations, there could be legal, legislative, financial and operational implications for financial institutions and other organizations alike. It is becoming extremely apparent risk management professionals and internal auditors will need to help face the challenge of managing cyber risks.
Here are four key areas that the “third line of defense,” i.e. internal auditors, can focus on to make in impact.
1: Independent and Unbiased
Increasingly, organizations are recognizing the need for an independent review of security measures and performances.
“Internal audit is one of the few voices that is purposely positioned to go across the entire organization, and it is able to look at how the different parts work with each other and make sure the right information is getting to the right people.”
Internal audit activity can provide senior management with independent and objective assurance on governance, risk management and controls pertaining to cyber security. This includes assessing the overall effectiveness of the activities performed by the first and second lines of defence (management and information security, respectively) in managing and mitigating cyber security risks.
Focus areas for internal audit should include the relationship between cyber security and operational risk, prioritizing responses and control activities and performing audits for cyber security risk mitigation across the organization.
Internal audit can help improve the organization’s security posture by looking to:
2: Security Framework Options
In a recent webinar presented to members of the Institute of Internal Auditors in Canada, MNP cyber security consultants Jared Weber and Jason Murray, suggested that when it comes to selecting a cyber security control framework, companies don’t need reinvent the wheel. Organizations should select a framework that works for them; possibly amalgamating a few as one might not meet all your needs. This is because organizations have differing levels of maturity within their information security program. It is important to adopt a framework which allows an organization to meet some standards but also have room for growth.
Frameworks involving international regulations such as the North American Electric Reliability Corporation (NERC), ISO 27001 and payment card industry data security standards (PCI DSS) are required to be met in full for an organization to market itself as being compliant. It is often difficult to accomplish this across an entire enterprise network and many security frameworks are not generalized enough to apply to all organizations.
An example of a flexible framework is The Centre for Internet Security’s 20 Critical Security Controls. This framework was originally intended to provide a roadmap for organizations to help protect against cyber-attacks. The framework uses 20 different categories each of which provide increasing levels of controls from foundational safeguards to advanced security controls and processes. This allows organizations to adopt a framework to a degree which matches their risk appetite.
3: Key Questions Internal Audit Should Ask
The following are key questions which internal audit should try to answer to gain an understanding of an organizations current security posture, risk appetite and its ability to manage and mitigate any potential cyber threats:
4: IIA Canada Webinar Poll Results – Benchmark your Internal Audit Cyber Approach
More than 340 participants polled by MNP and IIA Canada responded to questions about how their business was managing cyber security risks. The results showed a heightened awareness of cyber security but that more work needs to be done.
The results show that of those polled, an organization’s culture moderately influenced cyber resiliency. We note that for many boards and regulators, creating a culture of risk management has become an area of emphasis.
For additional information, please contact a member of the MNP Cyber team.
Related Topics:Internal Audit
Find an office near me