The exact role of internal audit regarding information security varies widely among companies, but it always provides a significant opportunity for internal audit to deliver real value to the board and management. Internal auditors should play an important role in ensuring that information security efforts have a positive effect on an organization and protect the organization from harm.
Why worry so much about information security? Consider some reasons why organizations need to protect their information:
Availability. Can your organization ensure prompt access to information or systems to authorized users? Do you know if your critical information is regularly backed-up and can be easily restored?
Integrity of data and systems. Are your board and audit committee confident they can rest assured that this information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that could compromise reliability?
Confidentiality of data. Can you tell your customers and employees that their nonpublic information is safe from unauthorized access, disclosure, or use? This is a significant reputational risk today!
Accountability. If information has been compromised, can you trace actions to their source?
An audit of information security can take many forms. At its simplest, the auditors will review the information security program’s plans, policies, procedures, and key new initiatives, plus hold some interviews with the key stakeholders. At its most complex, a large internal audit team will evaluate almost every aspect of the security program and even do intrusion testing.
This diversity depends on the risks involved, the assurance requirements of the board and executive management, and the skills and abilities of the auditors.
For example, if the organization is undergoing extensive change within its IT application portfolio or IT infrastructure, that would be a great time for a comprehensive assessment of the overall information security program (likely best just before or just after the changes). If last year’s security audit was positive, perhaps a specialized audit of a particular activity or an important e-commerce application would be useful. The audit evaluation can, and most times should, be part of a long-term (read: multi-year) audit assessment of security results.