The benefits of IT Internal Auditing
The digital age we live in introduces us to a world of knowledge and convenience; but in the process, leaves us susceptible to the growing threat of cyber-attacks.
Recently, there have been a number of incidents targeting state and local government sectors including organisations based locally. These threats have been increased due to the dependency many organisations have on technology and the automation it provides.
Internal Auditing can dramatically help to protect you against the vulnerability this brings. Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their roles.
The following are key areas we consider with our IT specialist when testing IT systems including cyber security risks:****
****
Governance – what frameworks are in place to deal with the following:
Threat to integrity – modification or corruption of information
Threat to reputation – inaccurate information about the organisation
Threat to intellectual property
Change management controls
Support and Maintenance:
Review of users access
Availability:
Disaster recovery and business continuity planning
General Security:
Logical security over network, servers, database management systems and communication management systems
Application security
Cyber Security:
Understanding the threat – clear understanding of what the organisation’s key information and data assets are and clarity on the biggest vulnerabilities/risk exposures to IT
Leadership – How is Cyber risk handled in the Board governance process
Risk Management – including appetite for cyber risk – for existing business and for new digital innovations
Awareness of help – The Australian Signals Directorate (ASD) suggests that 85% of threats can be mitigated by implementing the ASD top four strategies:
Application Whitelisting (opposite of black listing) specifying an index of approved software applications that are permitted to be present and active on a computer system;
Patching (updating) common applications;
Patching operating systems; and
Restricting administrator privileges
Cyber incidents – including a documented response plan. As part of an ongoing project to foster awareness of cyber security, the Findex IT department completed a simulated phishing exercise on staff. This testing involved attempts to convince users into divulging their account details via fake websites. This exercise will serve as a baseline by which we will measure the success of future cyber security training initiatives.
The above are areas every organisation should be considering on a periodic basis. Have you got your IT risks covered? For more information on how to can ensure you remain protected talk to an Internal Auditor today.