First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Cyber risk and audit

cyber riskClearly, cyber risk and audit is the topic of the day, if not the year and decade.

The leader of Protiviti’s IT audit practice, David Brand, has weighed in with “Ten Cybersecurity Action Items for CAEs and Internal Audit Departments”.

He has some valuable ideas that merit consideration, not only by internal auditors, but by security professionals, boards, risk officers, and more broadly among the executive group.

I will let you read his post and suggested action items.

But, as usual, I do have comments.

For a start, the three areas of risk that Brand lists do not top my personal list.

His list does not include the ability of a cyber attack to shut down the company!

When I was at Tosco, an oil and gas refining company, I engaged what was then Anderson (the people are now with Protiviti) to perform some ‘white hat’ intrusion testing. They were able to obtain root level access in one of our refinery’s control systems. That access would have permitted them to change temperature and/or pressure settings that could have led to a fire, explosion, and loss of life. The damage would have shut down the entire refinery, probably leading to the demise of the whole company.

We know that hackers from nation states and others might be interested in attacking our infrastructure systems, again causing catastrophic damage and huge financial loss. Certainly, they might be interested in taking actions that could cause a financial institution to be unable to service its customers.

No wonder the Federal and other governments worry about cyber!

Turning to his ten suggestions, I would prefer greater emphasis on his last point—staffing and resource shortages.

If I was on the board, or helping management assess cyber risk, I would be most concerned about whether the management team has the personnel with the appropriate level of experience and insight to understand cyber risk and adapt as the threats change. I would be concerned about whether they have the budget necessary a well as the influence with management to (a) understand the business risk, and (b) influence them to take necessary actions.

I would also like to see greater emphasis on considering cyber–related risk as new technology is implemented. Before, rather than after the fact! Are the information security personnel appropriately involved when new mobile devices and applications are considered, when Artificial Intelligence and Machine Learning uses are planned, or when the Internet of Things will be leveraged?

I agree with Protiviti that board engagement is important. But would prefer to see them focus their attention on whether management has the capability to manage the risk rather than see them get their fingers into the pie, trying to manage the risk themselves.

So, some useful tips but not, IMHO, a complete list.

What do you think?

Norman D. Marks, CPA, CRMA
Author, Evangelist and Mentor for Better Run Business
OCEG Fellow, Honorary Fellow of the Institute of Risk Management

Occasional Contributors

In addition to our regular guest bloggers, Inside Internal Controls blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of risk management and best practices in finance and accounting, information technology, environmental issues, corporate governance, sales/marketing and operations, not-for-profits and business related issues in Canada. If you are a subject matter expert and would like to become an occasional blogger, please contact Yosie Saint-Cyr at If you liked this post and would like to subscribe to Inside Internal Controls blog click here.

, , , , , , , ,

Comments are currently closed.