woman working at a desk with cyber security icons overlaid

Internal audit and cyber security Guidelines and a checklist

Internal audit and cyber security Guidelines and a checklist

3 Minute Read

Cyber criminals are continually targeting weaknesses in your cyber security stance — and a successful attack could result in significant financial, operational, and reputational damages to your organization.

As the digital landscape continues to transform, internal audit is playing an increasingly important role as the third line of defense to help ensure that organizations are cyber secure. Discover four key areas that internal auditors can focus on to make an impact.

Data has become every organization’s most valuable asset — but is also its most vulnerable. Cyber criminals are continually targeting potential weaknesses in your security stance. The consequences of a successful attack can result in costly or irreparable operational, financial, and reputational damage to your organization.

In previous years, we saw a large consumer financial information business suffer a major data breach, which impacted millions of people and resulted in the resignation of both its CEO and CISO. These breaches often result in legal, legislative, financial, and operational implications for financial institutions and other organizations alike. It is becoming extremely apparent that risk management professionals and internal auditors will need support to face the challenge of managing cyber risks.

Here are four key areas that internal auditors can focus on to make an impact as the third line of defense within an organization after management and information security.

1. Independent and unbiased

Organizations are increasingly recognizing the need for an independent review of security measures and performances.

“Internal audit is one of the few voices that is purposely positioned to go across the entire organization, and it is able to look at how the different parts work with each other and make sure the right information is getting to the right people.” – Internal Auditor Magazine

Internal audit activity can provide senior management with independent and objective assurance on governance, risk management, and controls pertaining to cyber security. This includes assessing the overall effectiveness of the activities performed by the first and second lines of defense (management and information security, respectively) in managing and mitigating cyber security risks.

Focus areas for internal audit should include the relationship between cyber security and operational risk, prioritizing responses and control activities, and performing audits for cyber security risk mitigation across the organization.

Internal audit can help improve the organization’s security posture by looking to:

  • Be aware of the board of directors and management’s approach to cyber security policy.
  • Identify and act on opportunities to improve the organization’s ability to identify, assess, and mitigate cyber security risk to an acceptable level.
  • Ensure cyber security risk is integrated into the organization’s internal audit plan.
  • Evaluate the organization’s cyber security program against an industry-acknowledged framework.

2. Security framework options & compliance requirements

When it comes to selecting a cyber security control framework, companies don’t need to reinvent the wheel. Organizations should select a framework that works for them — possibly amalgamating several as one may not fully meet your needs. This is because organizations have differing levels of maturity within their information security program. It is important to adopt a framework that allows an organization to meet some standards but also have room for growth.

Frameworks and compliance standards involving international regulations such as the North American Electric Reliability Corporation (NERC), NIST, ISO 27001, and Payment Card Industry Data Security Standards (PCI DSS) are required to be met in full for an organization to market itself as being compliant. It is often difficult to accomplish this across an entire enterprise network and many security frameworks are not generalized enough to apply to all organizations.

An example of a flexible framework is the Centre for Internet Security’s 18 Critical Security Controls. This framework was originally intended to provide a roadmap for organizations to help protect against cyber attacks. The framework uses 18 different categories, each of which provides increasing levels of controls — from foundational safeguards to advanced security controls and processes. This allows organizations to adopt a framework to a degree that matches their risk appetite.

3. Key questions internal audit should ask

The following are key questions that internal audit should try to answer to gain an understanding of an organization’s current security posture, risk appetite, and ability to manage and mitigate any potential cyber threats:

  • Who has access to the organization’s most valuable information?
  • Which assets are most likely to be targeted?
  • Which systems would cause the most significant impact to the organization should they be compromised?
  • Which data, if stolen, would cause financial or competitive advantage, legal ramifications, and/or reputational damage?
  • Is management prepared to react in a timely manner should a cyber security incident occur?
  • Is senior management aware of risks relating to cyber security?
  • Are cyber security policies and procedures in place, understood, and followed?
  • Has management performed risk assessments to quantify their risk exposure?

Understand your cyber security risks

From ransomware to increasingly persuasive phishing schemes, cyber crime is a global issue — and it’s on the rise. Take our interactive self-assessment health check to discover where your organization may be vulnerable to online threats.

4. Governance and culture

An organization’s governance and culture play an important role in managing cyber security risks and influencing cyber resilience. For many boards and regulators, creating a culture of risk management has become an area of emphasis as cyber threats continue to evolve with the digital landscape. Building cyber resiliency into an organization involves aligning its governance and culture to manage risks and enhance security. This includes creating a governance framework that outlines reporting structures, roles and responsibilities, and accountabilities for cyber security. Organizational culture should align with this governance framework through awareness training, employee behaviours, and active commitment from leadership. Internal audit can evaluate the alignment of governance and culture through reviewing organizational policies and procedures, assessing employee training programs, and conducting a culture assessment of the organization. This helps to reveal whether the organization’s leadership, structure, policies, and employee behaviours are working together in alignment to create a strong cyber security posture.

Take the next steps toward enhancing your cyber security

For more information, connect with our Cyber Security and Privacy team. Our team will work with you to set a security and privacy baseline, identify your top threats, and define resilience tactics to effectively future-proof your organization.


  • Progress

    July 12, 2024

    How using SMARTPro can help enhance the value of your practice

    Are you considering selling your practice? Three medium-term strategies can help improve efficiency and enhance the value of your practice.

  • Confidence

    July 10, 2024

    Cheers! Three beverage trends your business can capitalize on

    There’s a buzz in the Canadian beverage industry and it involves three key trends: sober curiosity, functional ingredients, and local products.

  • Progress

    July 09, 2024

    How a strategy to support psychological health and safety can build a stronger and more inclusive workforce

    How can you build a stronger workforce? A psychological health and safety strategy can help your energy and utilities company achieve successful outcomes.