Utilizing penetration testing to enhance internal audit activities
The goal of internal audit is to support the organization in its risk management activities. Internal audit does this through being an internal barometer for an organization to identify areas for improvement across business functions and internal services. In recent years, internal audit departments have found themselves diving deeper into technical information technology (IT) areas to better align IT risk management with enterprise risk management (ERM).
As internal audit departments focus more on IT risks, the skills needed to effectively review technical IT areas (such as server configuration management, patch management or security event monitoring) have changed. While understanding business operations and financial processes are still foundational to internal audit departments, they may not carry as much weight when talking with IT departments because security risks in today’s world have evolved. This is why many internal audit departments have looked to supplement their internal team members with external partners that bring a more technical skill set to the table.
Organizations face many challenges when it comes to securing their systems, applications and data. At the forefront of those challenges is continuously monitoring for newly discovered vulnerabilities that could allow an attacker access to confidential or sensitive information. Most organizations have established operational controls to patch their systems and maintain a secure network perimeter to keep attackers from gaining access to internal systems. However, the threats are not just external; internal threats such as disgruntled or careless employees can also cause significant harm to an organization’s reputation and cause a data loss event. It is internal audit’s role to test the effectiveness of those operational controls to identify risks that the organization may not be adequately managing.
External penetration testing activities allow an internal audit department to validate that the risk of malicious outside attackers breaching the organization’s perimeter and gaining access to internal systems and data has been properly mitigated. External penetration testing utilizes publicly available information with minimal knowledge of the organization’s IT environment to test that internet-facing systems and applications have been properly secured and are free from known vulnerabilities that could allow an attacker to exploit a vulnerability and gain a foothold within the internal network.
Internal vulnerability scanning activities allow an internal audit department to validate that operational activities, such as patch management, management’s own vulnerability scanning process, and secure configuration of internal systems, are being performed and executed effectively. Internal vulnerability scanning utilizes automated tools to discover internal systems and services running on those systems, and then probes those systems deeper to identify if any known vulnerabilities exist that could be exploited to allow an attacker access to confidential information. Additionally, if these activities are performed utilizing credentials, the scans can reveal whether an organization is effectively patching third-party applications installed on internal systems (which is one of the most overlooked areas of effective patch management). These activities provide a better understanding of the effectiveness of IT operations and identify previously unknown and unmanaged risk areas.
Many internal audit departments do not have the resources internally to perform external penetration testing or internal vulnerability scanning. Therefore, it’s important for internal audit leaders to find technical partners to assist in the performance of specific IT or cybersecurity related testing activities. The goal in finding the right partner is to ensure their skill sets align to the specific needs of the internal audit department, and that they understand the role of internal audit in helping the organization identify and effectively manage its risk.
