Home / Resources / News and Trends / Industry News / 2023 / The Increasing Importance of IT Audits to the BoD

The Increasing Importance of IT Audits to the BoD

Laura Zannucci
Author: Laura Tate Zannucci, CISA, CISM, CDPSE
Date Published: 6 June 2023

Cybersecurity incidents have become a staple of the news cycle and all enterprises should be paying attention, regardless of their industry. SolarWinds, the Colonial Pipeline, Twitter, Uber, WhatsApp and Microsoft are some examples of enterprises targeted by the 310 million data breaches reported in 2022.1 This includes hundreds of cyberincidents targeting medical facilities, cities, municipalities, high schools, universities and small to medium-sized enterprises (SMEs) that are reported daily.2

In an effort to protect organizations and consumers from such events, government agencies provide guidance related to improving processes and management oversight. For example, the US Securities and Exchange Commission (SEC) has proposed guidelines for publicly traded companies’ boards of directors (BoDs), which are aimed at holding directors and senior management to higher standards regarding cybersecurity.3 The guidance is derived in part from investors’ increasing demand for transparency.

These requirements prompt an obvious question: How can the BoD ensure that it is adequately meeting requirements? One of the best ways to identify gaps in what an organization is doing vs. what it is expected to do is to conduct a thorough IT audit. An IT audit not only captures the organization’s investment in necessary risk assessments, strategies, policies, and procedures, but it also documents whether the organization is complying with its own policies and procedures, and industry cybersecurity standards, in a satisfactory and measurable manner.

Organizations (and their BoDs) that do not choose to test and measure their investment in cybersecurity documentation, practices and controls are more likely to be exposed to liability and potential legal action, especially if an incident or breach occurs. Claimants may assert that the organization’s BoD neglected its responsibilities by failing to take sufficient steps to confirm the organization’s protections.

Questions to Ask Before an IT Audit

As cybersecurity responsibilities continue to escalate for organizations and their BoDs, there are several questions that should be asked before an IT audit:

  • Does the BoD have a cybersecurity expert, or does it plan to incorporate a cybersecurity or technology expert, either by recruiting a member or seeking outsourced expertise?
  • Does the organization have the appropriate structure to support cybersecurity enterprisewide?
  • Is the BoD receiving timely and adequate reports on cybersecurity?
  • Are cyber and technology discussions documented in BoD and committee meeting minutes?
  • Is the vendor management program working effectively?
  • Is cybersecurity risk part of the organization’s business strategy, risk management and financial oversight?
  • Is cybersecurity training ongoing and continuous for all employees and the BoD, and is training specific to the organization and its employees’ job responsibilities?

Performing Due Diligence During Auditor Selection

The first step in an IT audit process is selecting the appropriate organization to complete the audit. The internal auditor or senior management should research IT audit firms and determine which firms should receive a request for proposal (RFP). This process should include contacting colleagues and peers to ask who they would recommend conduct the audit. Once the list has been developed, the RFP should be sent to the firms identifying the organization’s specific needs and expectations. The BoD, audit committee or other designated committee should play a role in the auditor selection process.

When determining which auditor to engage, settling for the least expensive or most convenient option may be tempting. However, to ensure that the IT audit process provides the maximum benefit, it is important to find an IT auditor who takes the time to understand the organization and its needs. The selection process should include ensuring that the audit firm is fully vetted.

To ensure that the IT audit process provides the maximum benefit, it is important to find an IT auditor who takes the time to understand the organization and its needs.

Considerations in the due diligence process include:

  • Evaluating the experience and education of the auditor completing the IT audit
  • Completing and documenting audit firm referrals
  • Requesting a sample IT audit report

Understanding Objectives and Scope

The BoD, or a sub-committee of the BoD, is responsible for the organization’s risk oversight, including IT and cybersecurity. This risk oversight includes reviewing and approving the audit risk assessment, audit plan, audit objectives and audit scope. The BoD or sub-committee ensures that the plans, objectives and scope meet the organization’s strategic and operational goals.

An IT audit is essential to evaluate risk management practices, internal control systems and compliance with organizational policies concerning IT-related risk. This makes the IT audit a critical part of creating a secure IT environment and assessing the risk an organization might face from not complying with its own policies. The IT audit should seek to verify that the controls addressed by management have been implemented and documented. In addition, the IT audit should provide recommendations for security control improvements to help the organization strengthen its information security posture.

The IT audit [is] a critical part of creating a secure IT environment and assessing the risk an organization might face from not complying with its own policies.

IT audits should be risk-based and specific to the size and complexity of the organization. There are several questions to ask to assess an organization’s current state and help scope an IT audit, including:

  • Product and service offerings:
    • What technologies are used to serve customers?
    • Do those technologies utilize the Internet?
    • Are those technologies hosted locally, in a data center or in the cloud?
  • Most critical vendors:
    • Do vendors provide due diligence documentation?
    • Are vendors secure? How have they secured themselves?
  • Internal technological capabilities:
    • Is the organization using modern technologies to prevent unauthorized access, malware and ransomware?
    • Does the organization leverage a managed service provider (MSP)?
    • Are networks patched and monitored appropriately?
  • Cybermaturity:
    • Does the organization abide by cybersecurity standards or guidelines?
    • Has the organization measured itself against this standard to identify maturity and gaps?
  • IT-related risk assessments:
    • Has the organization completed appropriate IT risk assessments?
    • Does the organization measure IT-related risk and additional methods of mitigating risk (i.e., controls)?
  • Previous IT audit findings and recommendations:
    • Does the organization track and remediate previous findings and recommendations?

Additionally, the IT audit should include trending areas of focus (i.e., hot topics) based on recent cybersecurity guidance, events and breaches. 

IT audits should address IT risk exposures enterprisewide, including the areas of:

  • IT management and strategic planning (governance)
  • Data center operations
  • Cloud computing (if applicable)
  • Client/server architecture
  • Local and wide-area networks
  • Telecommunications
  • Network attack protection
  • Physical and information security
  • Systems development
  • Vendor management
  • Business continuity planning (BCP)
  • Incident response planning

IT Audit Outcomes

The IT audit should identify gaps and vulnerabilities in the organization’s structure, policy, procedures, plans, risk assessments, strategic plans or mitigation strategies. The IT audit report should provide recommendations to remediate any gaps or vulnerabilities noted.

The next step is to assign responsibility for the recommendations along with an expected completion date of actions needed to remedy the issues noted. Finally, remediation plans should be presented to the BoD (or designated committee) until each action item has been resolved or the BoD has accepted the risk related to the recommendation. By having a formal audit remediation process, the BoD can ensure the timely resolution of audit deficiencies.

Conclusion

Every organization that leverages technology and the Internet to do business must plan, manage and monitor rapidly changing technologies to appropriately serve existing customers and acquire new customers. Organizations must deliver and support new products, services and delivery channels or risk falling behind the technological times. The rate of these changes and the resulting increased reliance on technology make the inclusion of IT audit coverage essential to an effective cybersecurity program.

The BoD is responsible for ensuring that the IT audit is effective by asking the right questions before the audit, confirming adequate due diligence has been completed, understanding the scope and objectives of the IT audit, and ensuring appropriate actions are taken related to the audit by requiring management responses for any exceptions noted or recommendations made. BoD members have great responsibility for the decisions made—and not made—by the BoD. Decisions made by the BoD could affect the organization or BoD members personally. The actions of the BoD have a critical impact on the organization's profitability and reputation.

Remember, the overall objective of an IT audit is not only to identify gaps and vulnerabilities in an organization’s structure, policy, procedures, plans, risk assessments, strategic plans or mitigation strategies, but also to help the organization make better cybersecurity decisions about how to best operate effectively in today’s enterprise technology risk landscape.

Endnotes

1 Surfshark, “Data Breach Statistics 2021 vs. 2022,” 18 January 2023
2 Federal Bureau of Investigation, Internet Crime Report 2022, USA, 10 March 2023
3 US Securities and Exchange Commission, “SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies,” 9 March 2022

Laura Tate Zannucci, CISA, CISM, CDPSE

Is an information security consultant and the information security officer for SBS CyberSecurity, LLC. Prior to working at SBS CyberSecurity, Zannucci worked for more than 20 years at financial institutions where she served in various positions including information security officer, internal auditor and operations manager.