In-person conferences and roundtables are back in style across the Three Lines in supporting governance, risk and compliance. Leaders (including executives, board and audit committee members) are engaging at these events in search of new talent, understanding emerging risks and learning best practices to implement at their organizations. And that’s a trend seen across the board. In fact, the 2022 IIA Pulse of Internal Audit report details leadership response in aligning risks to audit plan allocation. The report shows cybersecurity presents the most common high-risk area (85%), but audit plans are only allocating 11% of resources to address cybersecurity.
But there’s good news - during leadership conversations at these industry-leading events, one observation stands out among them all: there is a heightened focus on cybersecurity and information technology (IT) audit challenges. Executives are seeking a baseline level of comfort in response to cybersecurity threats, particularly in response to:
- Remote workforce expectations;
- Increased cost of cybersecurity insurance;
- Digital and cloud migrations; and
- Regulatory reporting updates.
Top five trends
- Skilled resourcing shortages
Resourcing shortages are nothing new to the IT audit and cybersecurity world. The evolution more recently, however, has shifted towards the need for skilled labor (across security operations, compliance and IT internal audit). Individuals across organizations do not have the technical backbone to challenge an organization's cybersecurity posture. Organizations have either done nothing or utilized some of the following response mechanisms: Training and on-the-job upskilling, recruiting (internal and external), co-sourcing / outsourcing, and leadership and management coaching.
- Advisory auditing vs. IT assurance auditing
Many organizations are shifting the mix of their audit programs. In the past, the ratio of business audits to IT audits would generally fall under the 80 / 20 rule, respectively. As a result of the evolution of technology and cybersecurity risk, that percentage is quickly shifting closer to 50 / 50.
In addition, organizations are beginning to take more advantage of advisory auditing. In cases where there are subject matter resources within internal audit or where individuals from technical operations have shifted into internal audit, organizations have the opportunity to better challenge the status quo.
- Project management and security governance
Governance teams feel pressure from the board and audit committee to do more with less. More intentional oversight has been implemented to monitor both project management and governance. From a cybersecurity perspective, tabletop exercises and resiliency efforts are top-of-mind for engaging executives. In response, risk and control functions have sought opportunities to button up security governance and awareness around response mechanisms. Training, policy and procedure revisions and cybersecurity insurance policies have been scrutinized to better respond to today's threat landscape.
- Third-party risk management
With the shift to a remote workforce and a cloud-based architecture, the reliance on effective third-party processes and controls has increased. Resiliency programs and incident response plans are re-balancing the scale of on-prem and off-prem services and considering ideas around redundant cloud environments. With the increase in third-party reliance comes an increased need for third-party due diligence. Both from a reporting perspective (System and Organization Controls (SOC) 2 / NIST / HITRUST / ISO) and from a communication and response perspective, third- and fourth-party service organizations need to be ready to respond to their customers with a mature approach to managing security.
- Automation and analytics
Finally, automation is increasing in use across audit and cybersecurity. Departments are implementing continuous monitoring and testing approaches with a heavier reliance on automation. Within operations, an increase in automation (continuous integration and continuous delivery (CI/CD) pipeline, for example) has challenged second- and third-line groups to develop revised compliance approaches and expectations (for example, systems development life cycle and toxic combinations of access). While these approaches may not be standalone audits or assessments, automation and analytics practices are being embedded across all audit programs to leverage data at all organizations.
What organizations should do now
New challenges and new considerations to old challenges are impacting organizations from an IT and cybersecurity perspective. The top five trends in IT audit serve as response to these challenges, but (when utilized appropriately) also act as effective response mechanisms for organizations to proactively combat security threats.
Future articles will more deeply explore these trends. Please reach out to our team if you would like to further debrief how these challenges and trends are impacting your organization!