1. The Internal Audit Role in assessing Cybersecurity
May Louise Farrugia
September 2016

2. There are only two types of companies: those that have been hacked
and those that will be.
- Robert Mueller, Former FBI Director

3. Cyber risk is not just IT risk
Concerns all personnel within the company
Internal audit has a key role to play

4. Objectives of the study
To understand the attitudes of Maltese internal audit functions towards assessing cybersecurity
To identify barriers hindering cybersecurity assessments
To recommend improvements in this area

5. Research Methodology Primary Research 11 semi-structured interviews:
7 PLCs + 4 ‘Big Four’
Audit Firms
Secondary Research
Academic journals, reports, articles, books, past dissertations, professional standards and company documents

6. Findings: Cybercrime and Cybersecurity controls

7. How probable is cybercrime?“
Maltese companies are not immune to it
Not as likely to be hit as foreign companies ”
Internal Audit’s Perception of the Probability of Cybercrime (IAPLCs)

8. How probable is cybercrime?“
Numerous attacks remain unreported or undiscovered
Accidental cybercrime
Increase abroad  increase locally ”
Internal Audit’s Perception of the Probability of Cybercrime (IAAFs)

9. What is the impact of cybercrime?“
Depends of the activity of the company ”
Internal Audit’s Perception of the Impact of Cybercrime (IAPLCs)

10. What is the impact of cybercrime?
Internal Audit’s Perception of the Impact of Cybercrime (IAAFs)

11. Reasons for cybersecurity controls
Number of IAPLC Respondents (n=7)
Security/Protection of systems, data and/or other company assets 3
Mitigation of cyber risk and/or cyberattacks
Maintaining reputation
Fraud management 2
Confidentiality of data
Integrity of data
Financial damage, including loss of future revenue due to corporate espionage
Availability of data 1

12. Reasons for cybersecurity controls
Number of IAAF Respondents (n=4)
Mitigation of cyber risk and/or cyberattacks 3
Fraud management 1
Business improvement
Regulatory compliance
Reliability of financial reporting

13. Types of cybersecurity controls
Control Used/Recommended
Number of IAPLC Respondents (n=7)
Number of IAAF Respondents (n=4)
Passwords 7 4
Anti-Virus Software 3
Firewalls
Encryption
Staff Training
Vulnerability Assessments 6 2
Penetration Testing
Cyberinsurance -

14. Types of cybersecurity controls: Emerging technologies
Controls over access to social media
Monitoring the cloud
Controls over smart devices

15. Findings: Cybercrime assessments and internal audit

16. Is cybersecurity assessed?
3/6 - Constantly
1/6 - Ongoing (by suppliers) + One-time outsourced
1/6 - Ad-hoc audits
1/6 - One-time audit
6/7
Yes
1/7 No

17. Is cybersecurity assessed in a typical engagement?
Cybersecurity assessments are always considered +
Engagements usually involve some aspect of a cybersecurity assessment
4/4
Yes

18. Included in the Audit Plan vs. Ad-Hoc
4/6
Included
2/4
1/6
Ad-Hoc
1/4
1/6
Both
1/4

19. Is the process similar to a normal audit?
5/6
Yes
Risk-Based Approach
4/4

20. Is this being requested?
Audit Committee (3/5)
Regulators (2/5)
Management (2/5)
External Auditors (1/5)
Parent Company (1/5)
5/6
Yes
1/6 No

21. To whom are results reported?
Recipients
Number of
Respondents (n=6)
Audit Committee/Board 6
President/CEO 3
Group Chief Internal Auditor 2
Executive Management 1
General Manager of the operation concerned

22. What are the necessary factors?
 Technical skill and experience (3/4)
 Good understanding of client and its risks (2/4)
 Full support from management (1/4)
 Knowledge (Basic vs. Specialised) (6/7)
 Time and Frequency (2/7)
 A good budget (1/7)

23. What determines the success of an assessment?
The assessment itself
Improvements
External Reviews
Good understanding of risks
Mitigation of risk
Penetration testing
Meeting client’s expectations

24. What is the role of the internal auditor?
Third line of defence
Highlight risks and deficiencies
Provide practical recommendations
Maintain basic knowledge
Raise awareness

25. Findings: Internal audit team knowledge

26. Do you hold any related qualifications? (IAPLCs)
5/7
Yes
CISA(5/5)
CRISC (2/5)
2/7 No

27. Do you hold any related qualifications? (IAAFs)
CISA
CISM
CRISC
CGEIT
CISSP
CPTE
CEH
ISO27001
4/4
Yes

28. Did you/your team receive training? (IAPLCs)
Organised by the PLC (1/7)
5/7
Yes
2/7 No

29. Did you/your team receive training? (IAAFs)
Organised by the firm (3/4)
Supported by the firm (1/4)
4/4
Yes

30. Is local awareness appropriate?
4/7
But increasing No
2/4
3/7
Yes
2/4

31. Findings: Barriers

32. Do you face barriers in assessing cybersecurity? (IAPLCs)
Lack of knowledge (5/6)
Lack of financial resources (4/6)
Lack of time (3/6)
6/7
Yes
1/7 No

33. Do you face barriers in assessing cybersecurity? (IAAFs)
Lack of management involvement and commitment
Lack of knowledge
Lack of time
Management’s mentality
3/4
Yes
1/4 No

34. How will cybersecurity impact the future of the internal auditor?
Required knowledge
No longer the profile of an accountant
More time devoted to cybersecurity
Recruitment of skilled people
Provision of training to unskilled employees

35. Recommendations Implementation of a Cybersecurity Framework
e.g. NIST Cybersecurity Framework
Education and Training
 Top management
 Training sessions/ Conferences
Out-/Co-Sourcing Cybersecurity Assessments

36. Cybersecurity is a shared responsibility, and it boils down to this:
in cybersecurity, the more systems we secure, the more secure we all are.
- Jeh Johnson, US Secretary of Homeland Security

37. Thanks!