Cybersecurity Ventures predicts cybercrime will cost the world in excess of $6 trillion annually by 2021, up from $3 trillion in 2015. With major cyber breaches appearing in news headlines more frequently, cybersecurity is on internal audit’s radar more than ever. This increased risk focus is reflected in the 2019 audit capability survey, which revealed that cybersecurity risk is the #2 priority for chief audit executives.

Internal audit works to manage cyber threats by providing independent assessments of existing risk and helping the audit committee and board understand and address that risk. Deloitte reports that many organizations recognize the need for a third line of cyber defense—an independent review of security measures and performance undertaken by internal audit.

Cybersecurity isn’t the sole responsibility of the security or IT teams—it impacts and involves all business areas. In a traditional, siloed approach, each department treats risks independently. There’s no common language or framework to examine cyber risk holistically. Focusing on risk removes these silos, while making it possible for business process owners to prioritize and act on findings.

Despite this increased focus, only half of internal audit leaders in the audit capability survey indicated their groups have conducted cyber-risk assessments. Among those that have, three-quarters have developed a cyber audit plan based off the assessment.

By performing a comprehensive cyber-risk assessment, internal audit can present objective evaluations and findings to the audit committee and board members and use those findings to develop a broad internal audit plan that includes cyber risk.

A cyber-risk assessment can also be structured to generate a list of cybersecurity gaps and provide the organization with a roadmap for short- and long-term remediation activities.

Cyber-risk assessment steps

The following are eight steps auditors can take to conduct a cyber-risk assessment.

1. Characterize the system (process, function, or application)

In this step, you want to answer the questions: What system is involved? What data does it use? Which vendors are involved in the system and using the data? Where does the information go and what is the data flow?

2. Identify threats

Threats will vary within each organization, but common ones include:

• Unauthorized access (e.g., an employee accesses sensitive data, maliciously or otherwise, that they don’t have authority to view)
• Misuse of information by a privileged user (e.g., malicious use of information by an employee with access to highly sensitive/confidential or competitive intel/data)
• Service disruptions (e.g., interruptions to business activities, failed services, ISP outage, server outage)
• Data loss (e.g., backup processes that fail or intentional deletion of files).

3. Determine inherent risk & impact

Apply a standard low-, medium-, or high-risk/impact rating to each of the threats you’ve identified. (Without considering your control environment and determining a “what-if” scenario where the risk happened.) Learn more about choosing effective cybersecurity metrics.

4. Analyze the control environment

Identify threat prevention, mitigation, and detection controls (e.g., controls for user provisioning, administration, data center security, business continuity), and their relationship(s) to identified threats.

5. Determine a likelihood rating

Now that you’ve identified your threats and determined risks/impacts, it’s time to determine how likely it is that each threat will occur. Assess the likelihood, within your control environment, of any given exploit or risk actually occurring within your organization (again, using a low, medium, or high rating).

6. Calculate your risk rating

The risk rating equation is pretty simple: impact (if exploited) * likelihood (of exploit in the control environment). Using a scoring system of low, elevated, and severe will help with determining the levels of individual risk rating scores, which is the next step.

7. Prioritize risks

Use your preferred risk ratings/scoring system to prioritize your risks in order of magnitude.

8. Document results in a risk assessment report

Produce a risk assessment report to support management in making decisions on budget, policies, and procedures.

Cybersecurity preparedness is an ongoing process. After completing the eight steps above, the next step is to continually refine and re-evaluate risk. When you change procedures or implement a new process as a result of your cyber-risk assessment, evaluate its effectiveness, and continue to assess the program overall for its effectiveness.