Cybersecurity and data
Examples of cybersecurity issues that concern public sector internal auditors include ransomware, phishing and hacking. All of these can interfere with an organization’s ability to function for its constituents and put it at risk of using public funds to pay hackers. Local governmental bodies and agencies receive vast quantities of heavily regulated personal and other sensitive data, from both employees and constituents, including personal identifiable information (PII) such as social security numbers, personal health information protected by HIPAA and credit or bank card information protected by the Payment Card Industry Data Security Standard (PCIDSS). Security surrounding data is a significant risk, as public bodies are targets for data breaches and ransomware. The risks for a public sector organization related to data breaches are many. The organization could be held liable for a data breach incident and face additional costs, such as providing identity protection services to anyone affected by the breach. Organizations also face reputational damage and a loss of trust if they do not properly protect the data they store.
Because public sector agencies have data or other assets, there are substantial cybersecurity risks. On a near-weekly basis, an organization subject to ransom makes the headlines. More frequently, and less in the news, governments are subjected to phishing schemes and wire fraud attempts. As a result, cybersecurity risks are significant and top of mind for internal auditors.
As a first step, internal audit should conduct a cybersecurity assessment aligned with the National Institute of Standards and Technology (NIST) Privacy Framework. A governmental entity is assessed across a variety of criteria, including system access, general internal controls, purchasing and the handling of malware. The assessment will also provide an organization with the information necessary to determine what, if any, privacy regulations apply. The organization can then identify and adopt a privacy framework that aligns with its regulatory exposure and the organization’s goals. If data privacy is a significant concern, a privacy assessment should also be conducted to determine what its personal processing activities are and whose personal data is processed. Because the threats to an organization are always evolving, including new technology and new bad actors, organizations should conduct this sort of assessment regularly, approximately every 18 months.
Public sector entities are struggling with all topics related to employees: top talent recruitment, proper compensation given the labor market and talent retention. Although talent is an issue in many industries, governments face talent disadvantages compared to the private sector. Private sector companies in many instances have been able to respond to issues like the COVID-19 pandemic and inflation by increasing salaries and benefits and offering more flexible work options (from schedules to remote work). Governments struggle to keep up. Due to COVID uncertainties, many governments froze salaries over the last several years, resulting in the inability to compete as well on compensation with private employers in the same region. Governments are also slower to adjust how they recruit new hires – and they do not have as many incentive options, such as remote work, to encourage people to stay in government positions.
Public sector entities may be able to better address talent issues with better information, such as through classification or compensation studies, examining the efficiency and effectiveness of their recruiting process and developing new strategies to retain the talent they have. Internal audit can assist by performing studies benchmarking their organizations against peers or evaluating practices against industry best practice. Internal audit specifically struggles recruiting and retaining top talent. As a result, many public sector organizations consider co-sourcing or outsourcing solutions to support the internal audit function.
Respondents to the Baker Tilly survey noted one area not adequately addressed by their current audit plan was organizational culture. While “culture” has never been a strong priority for government entities, the pressure to do more with less in recent years has made it harder for organizational leaders to expect more from their internal audit function than the usual auditing of accounting, finance, operations, human resources and information technology.
Internal audit governance
According to internal audit standards, organizational independence is effectively achieved when the chief audit executive reports functionally to the governing body. For some governmental organizations, this may not be feasible, necessitating a separate line of functional reporting. Most survey respondents noted the internal audit function reported to either a governing body (like the board) or the organization’s leader. Because independence and objectivity are of the utmost importance to the internal audit role, identifying a governance model that works within the organizational structure but also protects that independence and objectivity is essential. Having the proper governance that works for the organization will better prepare it to deal with the major risks noted by survey respondents. While internal auditors have experienced the challenges related to cybersecurity, data and talent management, there are ways to improve these areas with adequate guidance and planning.
For more information or to learn how Baker Tilly's public sector internal audit specialists can help your organization, contact our team.