Internal audit and information security teams are natural allies in the battle to protect the organization from cybersecurity threats, but these teams are often siloed — and the idea of collaboration only gets sparked when a cyber incident occurs.
There are many reasons for internal audit and infosec teams to work together to boost cyber defenses, and many added benefits from building strong relationships between the two teams.
Internal audit and information security leaders from two virtual roundtable discussions hosted by the Internal Audit Foundation and AuditBoard in November 2024 emphasized the significant benefits of developing strong, collaborative relationships. Top advantages included coordinated risk assessments, improved communications with the board, and combined assurance efforts. As advances in technology boost business competition and the need for efficient operations, these benefits take on greater value.
Internal auditors have an added incentive to contact your infosec colleagues: the Institute of Internal Auditors recently released its Cybersecurity Topical Requirement. The new requirement provides a baseline for internal audit functions to assess cybersecurity governance, risk management, and controls — and it encourages collaboration with information security teams.
Don’t wait for an attack to reap the benefits of internal audit and information security collaboration! Read on for real-life examples of what effective CISO/CAE relationships look like in terms of alignment, coordination, education and advocacy, and technology. Then, download the full joint report from AuditBoard and the Internal Audit Foundation, Natural Allies: Nurturing Cyber Resilient Cultures Through Internal Audit-Information Security Collaboration for actionable strategies to build effective collaboration between the functions.
Alignment
Alignment on cyber-related risks helps internal audit focus on assurance that provides relevant and immediate value to information security.
An internal audit leader from the hospitality and tourism industry shared how he leverages comprehensive risk assessments developed by the organization’s information security team.
“These are the risks that drive what projects we’re going to be focused on in the coming year,” he explained. “We align and collaborate with information security and our chief information officer on where our time is best spent from a project perspective in supporting them and their ultimate goals and objectives.”
The public sector CISO said coordinating and aligning work calendars also supports his long-term planning.
“She has her calendar of events and a certain number of internal audits she has to do. And I have my calendar of events,” he said. “By working together and aligning what she’s doing, she’s structuring her audits in a way that I’m getting information that I need to feed into my future planning.”
Alignment on messaging to the board offers clear and accurate assessments of the organization’s cybersecurity profile and can help avoid embarrassing conflicts.
A vice president of internal audit and risk management within the financial services industry recalled how internal audit’s collaboration with information security evolved to improve communication with the board.
“At first, we weren’t necessarily communicating a lot with the board regarding information security,” he said, while acknowledging that today’s regulations demand greater engagement. “So, it was internal audit that pushed back to information security saying, ‘Look, we have to give the board more information than you’re giving them currently.’ That has tremendously improved.”
Speaking a single truth to the board about an organization’s cybersecurity status helps prevent confusion and potential conflicts that can create inefficiency and sow doubt. The roundtable participants frequently cited collaboration on messaging and sharing presentations as effective strategies.
“What I’ve found helpful is to share my presentations with the CISO, just so they know what I’m telling the audit committee, and conversely, they share what they’re briefing the board and the audit committee about,” said the audit leader of an information and analytics company.
He recalled an incident where his CISO told board members all was well on the cyber front the day after he briefed the board about numerous internal audit findings relating to cybersecurity.
“The board said, ‘Wait a second. This guy just came in and said all this stuff.’ So, he had to backpedal a little bit. He was giving macro level assurances. If we have a few findings here and there, it doesn’t mean the house is on fire. So that was a lesson learned; Collaborate and share those materials the best that you can.”
The risk and audit leader at the public transit authority said she routinely invites her CISO to speak at executive risk management committee meetings not only to coordinate board messaging, but also to stay informed on information security risk management efforts.
“That allows us to stay connected in preparation for the [board] meeting as well as being able to speak in terms of things that they’re doing and things that we’re able to validate on our end,” she said.
Her CISO added that the board receives quarterly information security reports that are clear and accurate.
“I know what she’s briefing, and she knows what I’m briefing. We’re keeping that kind of messaging to the board consistent, and they’re not getting conflicting information,” he said. “That clear and consistent messaging also provides a level of confidence to the board and executive leadership that we are collaborating, and things are moving in the right direction.”
Coordination
Coordination between internal audit and information security on compliance efforts, use of cybersecurity frameworks, joint use of technology, and risk management assurance provide additional avenues for improving an organization’s cybersecurity.
Internal audit assurance supports regulatory compliance in multiple ways.
The public transit CISO said the aligned assurance work cited earlier also supports compliance with federal rules on independent verification and validation, commonly referred to as IV&V.
“You have your cybersecurity function, and you have your IV&V team, which is independent of the cybersecurity function and checks the work,” he said. “I don’t have enough staff to have an IV&V team, so [internal audit’s] team fills that function for me. I get a free service from her team that provides me value — and in addition to that, I get the feedback on work that we’ve done over the year, validation that the work is done to standard, and that we can close some of those findings.”
Internal audit findings also help identify areas that need work, so it provides support for planning, he said.
“It’s a to-do list for my next two or three to four years of planning,” the CISO said. “We’re making sure that we’re talking and aligning what we’re doing, and she’s maintaining that independence because, you know, she’s certainly not here to just give me a free pass.”
The organization’s audit leader agreed.
“When we’re looking at significant systems and [Information Security] has identified the top five systems, they may look at two of them, we might consider the other three during our audit planning,” she said. “So, we’re able to provide full coverage on what we collectively believe to be significant systems in the organization for any given year.”
An added benefit of having an established relationship is the ability to jointly strategize on how best to show compliance with regulations that can be complex and arduous.
“We have to figure out how to come up with accurate, meaningful answers to high-level questions and be able to defend [them] when somebody comes in to challenge us,” the CISO said. “That’s going to take a lot of cross-talk between our different teams to look at the data and figure out how to win it.”
Collaboration can help mitigate risks of cyber incidents and related reputational risks.
An audit leader within the healthcare industry noted that not only does collaboration support regulatory compliance, but regulations and cyber incidents can drive collaboration, as well.
“If one employee gets hit and that employee has 1,000 patient records that get exposed to the threat actor, not only are you required to report that to OCR, but you also get put on their wall of shame,” he said, referencing the U.S. Department of Health and Human Services Office for Civil Rights. “You also are required to notify press, radio, or TV in your market. So, the stakes are huge. In healthcare that trusting relationship means everything.”
Coordination will be critical to effective and safe use of artificial intelligence (AI).
Collaboration on risk assessments, shared technology tools, and transparent communications set the foundation for effectively managing new technology and cyber risks, such as artificial intelligence.
The public transit risk and audit leader stated that her function’s involvement in cybersecurity governance exercises in an advisory capacity gives them a seat at the table for discussions on evolving technology risks.
“As new issues come about, we continue to stay connected,” she said. “So, I think one recent thing for us is looking at the AI space. Whether it’s in terms of acceptable use policies and how it helps data organization from a testing standpoint or from an interest standpoint, we at least have conversations there.”
Education and Advocacy
Speaking information security’s language is critical to acceptance and trust.
The risk management and internal audit leader from the financial services industry stated that his knowledge of information security was critical in establishing a strong working relationship when he first took on the job.
“When I first showed up, being able to talk their language really went a long way to developing that collaboration between us and the information security group and our technology group,” he said.
He remains a strong advocate for internal auditors to become educated enough about information security to speak knowledgably about their needs.
Internal audit can act as a trusted advisor and advocate on information security’s behalf.
The U.S. city audit leader’s evolving relationship with her information security team has paid an unexpected dividend. Internal audit was able to articulate information security resource needs more effectively to executive management.
“I think for quite a while, they felt like what they were saying they needed was falling on deaf ears,” she said, adding that there was resistance to information security requests for additional software until internal audit was able to convince budget-conscious administrators of the need.
“Now we’re looking at five different software programs, and they’ve been approved for all five of them,” she added. “In years past, they hadn’t been because there wasn’t a good intermediary there to bring to the city manager’s attention that it was necessary.”
The key, she explained, was having internal audit demonstrate that the new software would enhance productivity and be far more cost-effective than hiring additional staff. She also emphasized that building a trusting relationship was critical to having information security share their needs.
An audit leader in the food manufacturing industry shared a similar observation. Her organization is going through an ownership change, which also involves a shift in culture. Part of this transition includes conforming to additional reporting requirements for the privately owned company.
“It has been a challenge for both InfoSec and our group to demonstrate upward the need for additional resources and additional processes,” she said. “So, we’ve been collaborating on presentations to explain the difference between the execution steps and the compliance steps and the need for all the different things coming into that.”
Sharing Technology
Internal audit and information security can leverage GRC tools to enhance transparency and strengthen collaboration.
Governance, risk and control (GRC) software is a rapidly growing business market with a variety of products available, from off-the-shelf tools to highly specialized systems designed for specific users. As new cyber threats emerge and new risk management strategies and regulations evolve to better manage those risks, it is safe to say that GRC technologies will play a greater role. While GRC tools undoubtedly are an important component of cybersecurity, collaboration on the use of those tools holds even greater promise.
The public transit agency CISO said information security and internal audit share the same GRC technology.
The shared technology provides internal audit with visibility into what information security is doing, which provides benefits on several levels including knowing what process and systems reviews information security has done and avoiding duplication.
The chief risk and audit officer at the agency added, “We’re looking somewhat in that space of combined assurance so we’re not duplicating and are complementary.”
Boost Your Organization’s Cybersecurity Resilience Through Collaboration
Practices that strengthen cybersecurity and help grow cyber-resilient organizations should be examined and embraced. Conversely, practices that endorse hoarding information and building silos will ultimately lead to cybersecurity failures.
We hope you’ll consider sharing this report with colleagues in internal audit or information security to spark meaningful conversations about strengthening collaboration and enhancing your organization’s cyber resilience. Download the full IAF/AuditBoard report, Natural Allies: Nurturing Cyber Resilient Cultures Through Internal Audit-Information Security Collaboration for more real-world CAE and CISO examples and actionable strategies for building cyber resilience through internal audit and information security collaboration.