Improving the Internal Audit

The Role of Leaders in Mitigating Risk

By , October 1, 2012.
Improving the Internal Audit

Managers and internal auditors don't necessarily see eye-to-eye when it comes to the results of an IT audit. And that could prove problematic for the enterprise.

See Also: Breaking Down Ease-of-Use Barriers to Log Data Analysis for Security

Carolyn Holcomb, who leads PricewaterhouseCoopers' Risk Assurance Data Protection and Privacy practice and recently coauthored a new report on the role of internal audits, sees the relationship between business systems owners and internal auditors as being at odds, often due to lack of communication.

"Management may not think that the internal audit had any credit to it," she says in an interview with Information Security Media Group's Eric Chabrow [transcript below]. "They may not agree with it. They don't even agree with the way the internal audit was conducted or they don't think the internal audit addressed the most serious risks."

To remedy this, managers needs to be more open, Holcomb explains. "They're the ones who do see the system every day and understand the technology," she says. As a result, they should be talking with the auditor about the areas where they see the greatest risk.

Also, she says, auditors need to be pragmatic in their findings, identifying whether or not the risk is addressable and how much it would cost to mitigate.

In an interview, Holcomb:

  • Identifies three lines of cyberdefense;
  • Explains the role of internal auditors today; and
  • Addresses major concerns around the auditing process.

Based in Atlanta, Holcomb specializes in IT and business process, and as lead in PwC's Risk Assurance Data Protection and Privacy practice, she assesses and provides recommendations for improving clients' information security and privacy programs in addition to serving as the independent assessor.

A certified information privacy professional and certified public account, Holcomb holds an MBA in business and accounting from the Georgia Institute of Technology and a BS in math from Bucknell University.

Internal Audit Barriers

CHABROW: The paper, entitled, Fortifying Your Defenses: The Role of Internal Audit in Assuring Data Security and Privacy, identifies four barriers organizations commonly face in adopting effective data security and privacy measures. What are those barriers and what can organizations do to surmount them?

CAROLYN HOLCOMB: There are definitely some challenges and barriers. The four that we talk about are, first, a mindset where the organization already believes that controls are in place and it can be a real false sense of security when an organization has been PCI certified or ISO certified and they get to think that therefore everything is okay and they're not going to have a problem with privacy and security. Number two would be cost. It can be very expensive, both from a people perspective as well as a technology perspective, to put enough measures in place to really protect the organization. Thirdly, and interestingly, low expectations. A lot of companies may not expect a lot of their internal audit department and they may think that whatever they're doing is good enough. Then lastly, the fourth one we talk about is fragmented responsibilities, where the roles and responsibilities for privacy and information security may not be really fully defined throughout the organization and therefore people aren't really sure who's in charge.

CHABROW: When you spoke about low expectations, you said they may not expect a lot, of the internal audit organization or of themselves?

HOLCOMB: Typically of the internal audit organization and they're not really sure what they should be doing, what internal audits should be looking at, what their skills need to be, because a lot of times privacy and security can be very technical, especially when you get into the system side of security. Really having people on staff who are qualified to look at the risks within this area can be quite a challenge.

3 Lines of Cyberdefense

CHABROW: The paper concludes that organizations should institute and continually shore up three lines of defense to combat the ever increasing attacks on their data: first - management; second - risk management and compliance; and third - internal audit. Please take a few moments to explain each, first with management.

HOLCOMB: With management, the general leadership within an organization first needs to take responsibility for information, security and privacy.

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Detecting Insider Fraud

Emerging technologies open new doorways for insiders to commit fraud. Insider threat expert Randy...

Latest Tweets and Mentions

ARTICLE Detecting Insider Fraud

Emerging technologies open new doorways for insiders to commit fraud. Insider threat expert Randy...

The ISMG Network