Internal Auditor..Meet ISO by Guest Blogger Emily KnoppPosted: May 18, 2015
As internal auditors, we found ourselves needing to know a little bit about everything within our organization. We have to understand the accounting and procurement practices so that we can assess internal controls. We also have to have knowledge and understanding of the legal and regulatory statues so we can assess compliance. And to top that off, we have to understand the underlying information systems, technical processes, and related controls that are deployed to protect the organization’s most valued asset…its data. The best way that the internal auditor can learn and stay abreast of changes is to partner with the key administrators and experts across the organization. One critical area to build a collaborative partnership is with the Information Security Officer. This partnership can further secure information assets and improve the security posture of the organization. These partnerships can also leverage the knowledge of the experts, thereby gaining the knowledge, skills, and competencies needed to perform and assess information technology and security risks.
Creating this partnership is tricky, because internal auditors must maintain their independence and objectivity. At is core, internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. I believe these partnerships can be created, while still maintaining the requisite independence and objectivity.
Linda Tucci, Executive Editor of Search Compliance, wrote in 2009 that Information Security Officers and internal auditors can leverage each other skills. Her approach focused more on what the Information Security Officer can learn from auditors (i.e., risk management and controls, business risks in need of funding) but I believe the Auditor can also learn from the Information Security Officer. Much like the Auditor, the Information Security Officer needs to know a little bit about everything and stay abreast of the ever-changing and complex technology and regulatory landscapes (e.g., NIST and states cybersecurity frameworks; HIPAA technical safeguards; PCI DSS). Because of these ever changing landscapes, forging a partnership with the Information Security Officer will also enhance the Internal Auditor’s risk assessment.
The Internal Auditor and the Information Security Officer have similar missions and goals, and in practice, both roles are responsible for monitoring risks and evaluating controls. Internal auditors are called to assist management in identifying and mitigating risks. The International Standards for the Professional Practice of Internal Auditing specifically requires auditors to include the assessment of information system risks and controls, in addition to all other types of risks (e.g., strategic, operations, compliance, financial). However, many auditors may not be trained in information security or information technology risks, nor are smaller organizational audit departments staffed with specialized IT auditors. Additionally, the State of Texas requires the Information Security Officer be responsible for developing and maintaining information security policies and procedures, and working with organizational resources to ensure the appropriate technical controls are in place to mitigate risk. Given these similar missions, a partnership with the Information Security Office is ideal and may enhance Internal Audit’s coverage of information technology and security risks.
The hard part is actually forging the partnership. Historically, Information Technology departments and their IT Security teams are not open to auditors. A CFO even told me once that the internal auditor is “the one who comes in after the battle and stabs the wounded.” It is this mentality that makes forging partnerships difficult. But, we must work diligently to change this mentality. If you find a gem, an Information Technology team that is open and forth-coming, build on that and use it. I have learned that the best approach is to be honest and open with them, acknowledging your limitations. While we may not be experts in everything, we are experts in risk and controls.
My greatest success in forging this partnership started with an open conversation, and it is a conversation that continues today, five years later. Through this partnership, we have increased our coverage of technology and security risks, and at the same time educated management in risk management techniques. The Information Security Officer has also taught me about the underlying technical processes that impact the effectiveness of internal controls.
So, I encourage you to reach out, schedule a meeting, a get to know your organization’s Information Security Officer. It may be the most value-adding partnership you have.
- Proficiency, Standard 1210, The International Standards for the Professional Practice of Internal Auditing, 2013 Edition
- Definition of Internal Auditing, The Institute for Internal Auditors, 2013 Edition
- How CISOs can Leverage the Internal Audit Process, Linda Tucci, Executive Editor, Tech Target / SearchCompliance, June 28, 2009 (http://searchcompliance.techtarget.com/news/1362909/How-CISOs-can-leverage-the-internal-audit-process)
- Texas Administrative Code, Title 1, Part 10, Chapter 202, Rule §202.71 (b)
Emily A. Knopp, CPA, CISA is the Audit Director at Angelo State University, a member of the Texas Tech University System. Since joining Texas Tech System’s Office of Audit Services in 2002, she has assisted in developing and expanding the IT audit activities. In addition to audit responsibilities, Ms. Knopp serves as the Past President of the San Angelo chapter of the Texas Society of CPAs and as Secretary of the TACUA Board of Directors.