Marketing Communications Manager at ERP Maestro.
What Keeps Chief Audit Executives Awake at Night?
With uncertainty at peak levels in global markets, once-stable industries and political institutions, it’s no surprise that the watchdogs of businesses – chief audit executives – are on edge about their company’s potential risks. Chief audit executives (CAEs) are expecting their internal teams to meet the increasingly high requirements in overseeing cybersecurity, data protection, and third-party vendors while staying abreast of emerging risks.
In a recent survey by the Institute of Internal Auditors (IIA), most of the respondents (87 percent) identified as chief audit executives and shared their concerns and current preparedness for four key areas of risk, including cybersecurity and board and management activity. Consider the findings from the survey of what keeps chief audit executives awake at night.
Cybersecurity Is a Growing Risk, but Not Taken Seriously
Companies are up against the wall when it comes to combatting cybercrime. First, it’s incredibly cheap and accessible to pull off a scam or attack via the dark web. Second, the profits generated from cybercrime is enough to employ thousands of hackers and cybercriminals. In 2018 alone, cybercrime was expected to generate $1.5 trillion of profit and was estimated to be the 13th largest GDP in the entire world. Coupled with the rising threat of insider attacks within the company’s systems, it’s enough to make any chief audit executive stay up all night. In fact, the survey reported that 70 percent of CAEs say potential reputational damage from inappropriate disclosure of private data is a high or very high concern. Not to mention that the SEC can even hold executives personally accountable for improper disclosure of cybersecurity risks.
As it turns out, internal audit teams aren’t as worried or perhaps skilled enough to properly oversee cybersecurity risk. The survey reports that 51 percent of CAEs say lack of cyber expertise within the internal audit staff is an obstacle to addressing cybersecurity risk. Forty-three percent said the lack of cooperation or communication from the IT department is an obstacle to addressing cybersecurity risk.
Looking at the gaps, the solution is obvious. Internal auditors need more education on cybersecurity compliance and regulations along with more facetime with IT executive and staff. Moreover, internal auditors can do their part to assist in cybersecurity risk by testing internal IT controls, determining which datasets are most sought-after by cybercriminals, and creating detailed crisis plans to mitigate risks if a data breach occurs.
No Processes for Third-Party Vendor Oversight
In today’s economy, no business can operate solely by itself. The reliance on third-party vendors is not only crucial for operations, but a smart investment to stay competitive. However, chief audit executives are uneasy by how third-party service providers are monitored, and it’s not without cause. In 2014, hackers used a vendor’s stolen login credentials to penetrate Home Depot’s computer network to install malware, resulting in a massive data breach. That same year, employees from a service provider of AT&T were found guilty of unauthorized access of consumer accounts to steal personal information.
The survey found that 48 percent of CAEs say third-party monitoring processes are ad hoc, weak, or nonexistent, and only nine percent say those efforts are strong. With cybercrime becoming a stronger effort, internal audit teams must take third-party monitoring of their vendors more seriously. This includes tracking SLAs with vendors and making sure risks are identified and escalated properly when they arise. In addition, the selection of vendors must also be re-examined. Before departments decide to go with a third-party vendor, internal audit should first identify the inherent risk profile of the product/service to be outsourced and understand the vendor’s controls to mitigate the inherent risks posed by the business-vendor relationship. Only then can companies move forward with a vendor and set requirements for them to follow in order to reduce potential risks.
Little to No Review of Information Passed on to the Board
Chief audit executives and the board of directors they report to must have open lines of communication with each other, as well as transparency into the activities of the company, including what goes on in the internal audit function. In 2016, about 83% of North American CAEs report to their employer’s full board or audit committee. However, the information they are reporting to board members or the audit committee is severely lacking proof of accuracy among other things. The survey found that 57 percent of respondents said they rarely or never discuss with the board or management the accuracy, completeness, timeliness, truthfulness, or transparency of the information internal audit supplies to the board.
While this doesn’t mean the information chief audit executives supply to the board is incomplete or inaccurate, but it could indicate that for most respondents there isn’t a process or tool in place to make sure the information is complete and accurate. Internal auditors must utilize tools and processes that can provide validation of completeness and accuracy of their Information Produced by the Entity (IPE). In the case for SOX compliance, for example, access control automation software can provide complete and accurate key reports so that external auditors (and even the audit committee) can understand and evaluate the controls in place.
As the survey indicates, most chief audit executives have a lot to keep them awake at night. However, there is hope for them, so long as awareness of these risk areas grows and internal audit can get the resources they need to fully address them.