Internal Audit and Information Security

How’s Your Relationship with Internal Audit?

Want a quick and easy way to get an idea how well your organization’s risk management program works? Take a look at how the technical staff reacts to and interacts with the internal audit team.

The role of internal audit is to aggregate internal policies, regulatory requirements, and industry best practices and then observe the organization to see how the operational reality stacks up with those goals. This is the chance for us to see if we’re walking the walk or if all our risk management policies and systems are just for show.

When your team hears that the internal auditors are going to be coming, what is the response? No, not everyone will be thrilled to spend a day or week sitting with auditors discussing business practices, and showing proof of what they do. Schedules are tight, and fitting in audit work alongside a full schedule can be a challenge. But aside from scheduling, this should not be a gruesome task. If your employees are overly concerned about the audit process, it may be that they are not properly educated about the policies and procedures required to do their job.

In a well-functioning team the opportunity for a different set of eyes to evaluate and offer feedback is invaluable. They can show us where our documentation is lacking (because the people who do it every day can naturally fill in those gaps), where our separation of duties is inadequate, or where cross-training is needed. Joe might be the best firewall administrator in the world, but letting him do all of the firewall work means that when he finally goes on vacation or gets a new job, your organization will be scrambling to fill in his position.

The biggest key to creating a positive relationship with audit, and successfully undergoing audits, is remembering that internal audit and security risk management are on the same team. We are both looking to handle risks. Our job in security is to identify and implement effective mitigating controls, and audit’s job is to flag those risks which have not yet been properly mitigated, so that management is well aware of them, and can make appropriate business decisions. If they identify a finding in your area, it’s not the end of the world. It’s an opportunity for you to improve your environment and make things better.

Security and Audit should make each other better

Information Security and Internal Audit can be extremely effective partners. Chances are that the folks in the security team are more technically savvy and more intricately familiar with the details of the corporate information systems. As such, during an audit, security can provide assistance to internal audit in guiding through the technical-speak and confusing network diagrams to determine all kinds of great information. Including what data is sitting where, what it’s doing, and what protections are in place. By being a technical consultant, the security team can provide valuable assistance to audit and make the audit findings more detailed and impactful.

On the flip side, audit can be an important ally for security. How often does your security team find a risk, bring it up to technical leaders, and have that risk ignored because of time or money scarcity? It’s an ongoing balance to figure out which risks need to be addressed. Security’s concerns are usually heard, but often cannot be immediately implemented. But when an item is made an audit finding it gains significant weight. Those audit findings will make their way up the chain, to the desk of the president and the board itself. Senior leadership is directly responsible for addressing and implementing audit findings. Getting audit to include the risks that security identifies can be a great way that audit can assist security.

For the most part, the difference between security and internal audit is slight, but significant. We are both looking to address risk, but security is considered a part of the business, and audit must be an impartial third party. By working together both teams can become better at what they do.

If you haven’t already, go take an auditor out to lunch. Ask about what they do, and how you can help. It’s a relationship that you both will enjoy.

Connect with


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s