While IT and internal audit teams share a common goal of protecting an organization against risks, collaboration between the teams can sometimes cause friction due to key differences in approach and language. Understanding how these teams interact and some of the common collaboration challenges they face can help facilitate stronger cybersecurity defenses for your company.
Three Lines Of Defense
Many companies augment their cybersecurity efforts with internal audit teams, which evaluate internal controls, regulate risks, and streamline operations. IT and internal audit teams are part of a larger cybersecurity strategy, with separate responsibilities and focus areas. Regardless of the organization’s size, industry, market, or risk tolerance, successful defense requires coordination and a shared ethos of risk management.
The graphic below shows an example of how these teams fit into a company’s overall security operations.
First Line: Manage
This line of defense involves the front line process owners assessing the activities that create underlying risks. For the objectives of cybersecurity, the goal is to identify the underlying cyber-risks and design and implement controls to address them.
Second Line: Monitor
Once the proper controls are in place, the next step is senior management monitoring them to make sure operations are running effectively. Senior management can leverage their competence and expertise in monitoring and overseeing the activities of the first defense. This second line helps make sure the first line activities are operating and addressing the underlying objectives.
Third Line: Assure
The final line of defense is the audit committee or internal audit acting as an objective and unbiased resource that should report to the board to avoid influence from the management team. This third line uses independent validation to assess their ability to address cyber-risks appropriately and effectively.
The internal audit team plays the role of both police and advisor, which means internal audits are only effective when there’s trust between IT, the audit team, and other departments across the company. Collaboration between these teams can help problems become apparent, leading to quicker identification and development of solutions. Doing one thorough review as opposed to frequent ineffective reviews helps improve the efficiency of the audit process, and the best way to achieve that is to make sure both groups understand the value of working together.
Having the governance team working with the IT team to share a big picture understanding of the risks as part of due diligence can be hugely beneficial. In the same vein, internal audit teams should have a relationship with the board and work with IT to communicate up to the board.
While the IT and internal audit teams share a common goal, their methods and approaches can often differ greatly. From industry language to misunderstood goals, there are a few steps you can take to help these teams collaborate more effectively.
Both IT and internal audit teams have their own languages and terms, which can create barriers to understanding when the two groups work together. Often, auditors with a technical understanding of the basics of IT can help reduce confusion.
Here are some examples of how teams may use different terms to refer to the same idea.
Audit and IT teams frequently compete for the same budget and funding resources using different control frameworks, which means divisions naturally occur. Compounding this, basic attitudes between each team can be vastly different.
For example, compliance for an IT team is considered a baseline security standard, whereas internal audit teams see it as one of several factors to consider for security. Security threats can often move faster than compliance standards can be written or adjusted.
Due to the independence and objectivity requirements placed on audit teams, it can often seem that the role of an audit is to police security, although it’s really to improve overall security. Taking these differences into account can help smooth friction between the two teams as they work toward achieving shared goals.
Other ways to improve collaboration could include:
- Communicate the importance of audit efficiency to improve the audit and cybersecurity experience
- Prepare and provide the list of reports or system reviews needed ahead of the audit
- Solicit IT leadership’s feedback on high-risk target approaches
- Use audit findings to help drive remediation projects and increase budgets for security
- Create cross-functional committees or communities
Understand the Shared Data Goal
The ultimate goal is the confidentiality, integrity, and availability (CIA) of sensitive data. This includes:
- Protecting tangible and intangible assets
- Reducing the possibility of fraud
- Knowing the types and location of data within the enterprise, such as personally identifiable information
- Creating a systematic approach to improve the effectiveness of risk management, control, and government processes
- Understanding all frameworks used across all areas of compliance, such as COSO or Cobit 5, as well as the framework used by the IT team to assess security, such as NIST 800-53 or 800-171, ISO 27001, or HITRUST CSF
Through increased and transparent collaboration, IT and internal audit teams work toward improving the security and functionality of their organization. They can design an audit that will have the greatest impact and sound the whistle together.
We’re Here to Help
For more information about strengthening collaboration between your IT and internal audit teams, contact your Moss Adams professional.