Page 397 - ITGC_Audit Guides
P. 397

Providing Assurance to the Board


                   To effectively communicate risks related to insider threats to the board, internal auditors must
                   translate audit findings into terms of financial loss, reputational damage, operational disruption,
                   and other organizational performance indicators.


                   To illustrate risks in terms that are meaningful for
                   management, internal auditors may find it helpful
                                                                     Audit Reports
                   to  leverage  existing  industry  reports  describing
                   data compromises and breaches throughout the      For detailed instructions on
                   world  that  resulted  from  insider  threats.  Using   preparing internal audit reports, see
                   real world data helps communicate the breadth     IIA Practice Guide “Audit Reports:
                   and depth of the impacts and helps remove the     Communicating Assurance
                   illusion that insider threats and resulting breaches   Engagement Reports.”
                   cannot happen to the organization.


                   Educating the board includes helping them understand that “absolute security” is not possible;
                   therefore, it is critical to focus on strengthening the organization’s IT security incident response
                   capabilities and ensuring balance between security and efficiency (security is managed based on
                   the risk appetite established by the organization). Other key elements for providing assurance to
                   the board include:

                         Develop a collaborative reporting approach with parties such as the chief information
                          security officer (CISO) and chief risk officer (CRO) to demonstrate the level of maturity of
                          the organization’s security posture related to insider threats.
                         Ensure that insider threat risks are included in the organizationwide risk assessment and
                          communicating the effort and results to the board.
                         Agree on a framework that all assurance parties can use to assess the maturity and
                          effectiveness of insider threat mitigation efforts.
                         Develop possible risk scenarios to describe the potential actors and the likelihood and
                          impact in a language that clearly relates to business objectives.
                         Determine whether the internal audit activity possesses the competencies needed to
                          assess insider threat management or can be trained, and if not, outsourcing the expertise.
                         Develop the internal audit plan to leverage the work of other assurance functions
                          (compliance, management self-assessments, and risk management results).
















                         www.theiia.org                                      Auditing Insider Threat Programs   29
   392   393   394   395   396   397   398   399   400   401   402