Managers and internal auditors don't necessarily see eye-to-eye when it comes to the results of an IT audit. And that could prove problematic for the enterprise.
Carolyn Holcomb, who leads PricewaterhouseCoopers' Risk Assurance Data Protection and Privacy practice and recently coauthored a new report on the role of internal audits, sees the relationship between business systems owners and internal auditors as being at odds, often due to lack of communication.
"Management may not think that the internal audit had any credit to it," she says in an interview with Information Security Media Group's Eric Chabrow [transcript below]. "They may not agree with it. They don't even agree with the way the internal audit was conducted or they don't think the internal audit addressed the most serious risks."
To remedy this, managers needs to be more open, Holcomb explains. "They're the ones who do see the system every day and understand the technology," she says. As a result, they should be talking with the auditor about the areas where they see the greatest risk.
Also, she says, auditors need to be pragmatic in their findings, identifying whether or not the risk is addressable and how much it would cost to mitigate.
In an interview, Holcomb:
- Identifies three lines of cyberdefense;
- Explains the role of internal auditors today; and
- Addresses major concerns around the auditing process.
Based in Atlanta, Holcomb specializes in IT and business process, and as lead in PwC's Risk Assurance Data Protection and Privacy practice, she assesses and provides recommendations for improving clients' information security and privacy programs in addition to serving as the independent assessor.
A certified information privacy professional and certified public account, Holcomb holds an MBA in business and accounting from the Georgia Institute of Technology and a BS in math from Bucknell University.
Internal Audit Barriers
CHABROW: The paper, entitled, Fortifying Your Defenses: The Role of Internal Audit in Assuring Data Security and Privacy, identifies four barriers organizations commonly face in adopting effective data security and privacy measures. What are those barriers and what can organizations do to surmount them?
CAROLYN HOLCOMB: There are definitely some challenges and barriers. The four that we talk about are, first, a mindset where the organization already believes that controls are in place and it can be a real false sense of security when an organization has been PCI certified or ISO certified and they get to think that therefore everything is okay and they're not going to have a problem with privacy and security. Number two would be cost. It can be very expensive, both from a people perspective as well as a technology perspective, to put enough measures in place to really protect the organization. Thirdly, and interestingly, low expectations. A lot of companies may not expect a lot of their internal audit department and they may think that whatever they're doing is good enough. Then lastly, the fourth one we talk about is fragmented responsibilities, where the roles and responsibilities for privacy and information security may not be really fully defined throughout the organization and therefore people aren't really sure who's in charge.
CHABROW: When you spoke about low expectations, you said they may not expect a lot, of the internal audit organization or of themselves?
HOLCOMB: Typically of the internal audit organization and they're not really sure what they should be doing, what internal audits should be looking at, what their skills need to be, because a lot of times privacy and security can be very technical, especially when you get into the system side of security. Really having people on staff who are qualified to look at the risks within this area can be quite a challenge.
3 Lines of Cyberdefense
CHABROW: The paper concludes that organizations should institute and continually shore up three lines of defense to combat the ever increasing attacks on their data: first - management; second - risk management and compliance; and third - internal audit. Please take a few moments to explain each, first with management.
HOLCOMB: With management, the general leadership within an organization first needs to take responsibility for information, security and privacy.
CHABROW: When you say the leadership of the organization, you're talking like the CEO and CFO?
HOLCOMB: The CEO/CFO needs to set the tone, but then they need to designate somebody - and it's probably not them - to be responsible for privacy and security. Somebody's job description needs to say, "This is what I'm going to look at and this is what I'm going to make sure works well." And it's interesting. We looked at the Fortune 100 companies a few months ago and within those, only 50 had somebody that they called the chief privacy officer. A lot of the other organizations had either split the responsibilities or had given it to somebody lower in the organization. It's critical that the top leadership really figure out who's going to be looking over these areas.
CHABROW: Have you found with some organizations that the chief information security officer also serves as the chief privacy officer, or at least takes on some of those responsibilities?
HOLCOMB: Yes. That's a very common one, where they will just say, "You're already the CISO. Let's add privacy to your list of things to do."
CHABROW: Is that good or bad?
HOLCOMB: We tend to think it's better to do it a different way and to actually have somebody who's responsible for privacy. At PWC we often find that privacy needs a legal bend to it. It needs someone who has got legal training or someone in their department who's a lawyer who can really understand all the privacy laws around the globe and within the various states of the U.S., because it's a very complex legal environment. That can often be pretty challenging for a CISO to take on.
CHABROW: Next in those three areas was risk management and compliance functions. What do you mean by that?
HOLCOMB: This is a different function, so not the line management, not the CISO or the chief privacy officer, but a special function that most companies have that's designated to handling risk and compliance, and this is a recommendation to now add privacy and information security to that group. That group may already be looking at laws in different areas, compliance requirements in different areas, but now adding information security and privacy specifically to that group as a second layer to your defense.
CHABROW: I hear things being called enterprise risk management. By adding privacy and information to that, is that part of that trend?
HOLCOMB: Right, yes. Sometimes your enterprise risk management is in this group and some companies have a chief risk officer. At PwC, we've actually seen a trend lately where companies are forming a risk committee at the board level, even somebody for this risk management and compliance function to report to, and a group of people at the board level who really understand regulatory compliance and privacy-type risks.
CHABROW: Is something happening in business or government in the sense that risk management needs to be looked at more broadly?
HOLCOMB: Sarbanes Oxley has certainly opened a lot of people's eyes to the financial risk, but there's a lot more risk that some organizations have looked at and some have only looked at high-level. I think what's happening is it's a little bit like doctors specializing in different areas. In business, it's the same thing. You want people who are specialized in different areas and can really understand risks that go across the organization, and the risk can be very broad and so organizations have seen a need to kind of put that under one umbrella such that there's some governance that says, "Are we catching all the risks or is there some that we're ignoring?"
CHABROW: And the third area was internal audits.
HOLCOMB: Internal audit now is the monitoring function. You have the management doing the process; the compliance function making sure that all the laws and regulations are complied with and risk is addressed. Now internal audit is the one to look over everybody's shoulders and really make sure that the discipline is there and that things are not falling through the cracks, things have been followed up on. An internal audit is the one that usually has the reporting relationship to the audit committee at the board level to make sure that the board's actually hearing about the risks and hearing whether management is keeping up with and addressing them or not.
Internal Auditors: Skill Sets
CHABROW: Let's talk about these internal auditors. Who are they? What kind of skills do they need and where are companies finding them?
HOLCOMB: The internal auditor's skills have changed quite a bit. There was a time when many internal auditors were really focused on finance-type audits and had financial-type skills, and then that evolved into compliance-type skills, and now it's really getting very broad and so organizations are looking for people who have to have the basic auditing skills. You have to have some auditing background. But on top of that, they're also looking for people who either understand privacy or security or FDA risks or whatever the case may be, something around mergers and acquisitions. Now often times, we at PwC certainly see that organizations need to source or look to a third party or have somebody help them with those very specialized audits, because it's very difficult to keep all those skills on staff, because you may not need them full time.
CHABROW: There have been IT auditors around for decades. What's different today than maybe five, ten or 20 years ago when it comes to IT audits?
HOLCOMB: Probably one of the biggest things is just the pace of change. Technology is just changing so fast that it's hard for anyone to really keep up with knowing the different technologies and all the security in the technologies. We certainly see the hackers get ahead of the curve very fast and therefore the auditors need to try to keep up. It's often beneficial for an organization to look for somebody who really has specialized security skills who's more in a consulting practice because that's someone who has seen security and seen technologies across the board, keeping up with it on a daily basis, and not just focused on the one at the organization. So I would say the face of change is what is really driving quite a bit of that.
Audits: Major Concerns
CHABROW: When it comes to implementing internal audits on IT and IT security, what do you hear from your clients? What are some of their major concerns?
HOLCOMB: My clients are first concerned about, "Are we looking at the right risks? Do we really understand the risks?" I think especially in IT and in technology, it's easy to miss the risks if you don't really understand the technology or really understand how breaches occur and how hackers get in and how people steal data. But that's probably the biggest risk - do I have the right people who understand this and are they doing enough?
Reacting to Audits
CHABROW: You have these audits. How should the business owners of these systems react differently to these audits today than maybe they would have in the past?
HOLCOMB: I would say the management folks who are actually operating the systems and things need to also be open. First, they're the ones who do see the system every day and understand the technology very well, so they should first voice their concerns to the auditor and they should know in most cases where they think the risks lie. Certainly that's what I see in my clients. Those folks know what we should be concerned about, what the audit committee should know about. That's the first thing I would say. They should communicate.
Then when the internal auditors find something else as well, there needs to be a very practical look at whatever the observation is, to say, "Is that something we can actually address or is it not, and if we can, how soon? What will it cost?" There's certainly a lot to think about there and sometimes there's a cost-benefit analysis and that's another benefit of what we call the second line of defense, where the risk management and compliance function can help assess whether management is making a good business decision to either accept a risk or do something to address the risk.
CHABROW: One of my hats is being editor of GovInfoSecurity. One complaint I often hear from chief information security officers when they're ordered by either the Inspector General or by the Government Accountability Office is they may not be following specifically, say, the Federal Information Security Management Act, but they're doing the best to secure their IT organizations, and what they're pointing out is the audits may not be as important. Is that a problem with auditing at all?
HOLCOMB: Oh I think it is, for sure. Yes. I think that's a very valid point. There's a lot that goes into that where management may not think that the internal audit had any credit to it; they may not agree with it. They don't even agree with the way the internal audit was conducted or they don't think the internal audit addressed the most serious risks. We try to help organizations think through what's the framework that the company should be using and give themselves some solid footing.
For example, using the ISO standard, or the NIST standard, or in the case of privacy, Generally Accepted Privacy Principles, so that they have something to talk to auditors about and say, "Hey, I used this is as my baseline. This is what makes sense in my organization." And it could be a combination of several frameworks because those are well-known, documented, tried-and-true frameworks that auditors will look to and will put some stock in and that helps give you credibility.
Systems Owners and Auditors: Communication Tips
CHABROW: Is there any difference in the way business systems owners and auditors talk to one another or communicate with one another today that may be different from a few years ago? How should that process be improved?
HOLCOMB: I think sometimes they continue to talk past each other. I think the terminology can be challenging. The auditors tend to talk about controls and the CISOs tend to talk about technologies. I think both parties do really have to be careful and try to talk each other's language so that they can understand and really get to what each other are saying. I think that's really important and I do think it can be improved by both parties, really trying to understand the other one's perspective.
CHABROW: Should the relationship between the auditor and the business system owner be adversarial? Should it be a collaborative effort or is there something in the middle?
HOLCOMB: It definitely should not be adversarial. I would say that doesn't get them anywhere. It should definitely be something collaborative. Now the internal auditor has the responsibility of remaining independent, but they need to be competent, they need to be objective, but you can maintain that and also have a very collaborative working relationship with management, because both parties should have the same objective, which is to better secure the organization and comply with laws and regulations. So if everybody has got the same objective in mind, it should be a very good working, open relationship and certainly at PwC, the clients that we see that do this the best, that's how it is. Management calls internal audit and says, "Would you please come audit XYZ? I would like to know if I'm doing it as well as I could or if you can tell me of a way to improve it." Those are the most effective internal audit functions.
CHABROW: Do you have any final thoughts?
HOLCOMB: I think the only thing I would add is governance. I want to make sure we point out that governance is really critical in the management function. To whom does a chief privacy officer report? Where does the CISO report? Is their voice heard? Is someone listening and do they have enough visibility and credibility? And then the same thing for the internal audit department. Who's the head of the internal audit? Who does he report or she [report to]? And are they listening and do they have an open dialogue where risks can be vetted and remediation actions can be followed up on to make sure that they're addressed timely?
CHABROW: Are there best practices on which of these people should report to whom or is it just having some kind of governance in place and execute on it?
HOLCOMB: There are certainly a variety of models that work. Most commonly, a CISO is reporting to a CIO. That's not necessarily what we will always recommend. Sometimes that does work, but a lot of times you want to be able to have security and privacy reporting more like that compliance function, and you want them to be fairly senior people. We certainly have seen a trend where those people have been elevated within, so critical to the company. It's mostly making sure they're at the right level and being independently heard as opposed to be buried somewhere in security or somewhere in IT.
CHABROW: And the auditors, who should they be reporting to?
HOLCOMB: The head of internal audit definitely should report to the audit committee. Now that may not be administrative reporting. Administratively they often report to a CFO, a COO or a chief risk officer. Any of those are probably fine as long as that's working and as long as the communication flows, but the head of internal audit needs to report directly to the audit committee so that they can get directly to the board if they think there's a risk that's not being addressed.