Internal audit function can bolster cybersecurity frontiers

16 March 2016

A new report by Protiviti finds that cybersecurity is increasingly finding its way through the ranks of internal audit teams. The move is applauded by the advisors – as besides the usual suspects of technology, finance and risk, it turns out that internal audit can play a serious role in bolstering cyberfrontiers. Differences in maturity persist in the market, with top internal audit performers benefiting from improved frontlines, however, across the landscape there still is a way to go.

Cybersecurity is increasingly posing an issue for organisations, as a growing number of organisations find themselves the victim of cybercriminals. Attacks may disrupt businesses as databases or websites are compromised, or, through increasingly sophisticated phishing, may see millions incorrectly transferred into criminal back accounts. Furthermore, the effect of compromised customer and client records, as well as the loss of intellectual property, can cause significant reputational and structural damage to organisations. In recent years, companies have started to respond to the new threat environment, with more boardroom engagement on the issue (although engagement is slow, at around 20%), a focus on training staff about the threats, as well as hardening frontiers and areas of acute vulnerability to attack. The use of more sophisticated analytics tools is also, according to a recent PwC report, gaining traction.

A new study by Protiviti comes with a different, yet valuable angle for tackling the risks coupled with cyber activities. Based on an assessment of more than 1,300 internal audit professionals, including more than 150 chief audit executives (CAEs), the firm finds that there are two critical success factors when establishing and maintaining an effective cybersecurity plan. The first factor relates to ensuring that the management has a high level of engagement in information security risks, in particular those placed in executive positions. “Cyberattack threats are significant and continuously evolving in sophistication,” says Brian Christensen, Executive Vice President of Global Internal Audit at Protiviti. “Our survey found that when it comes to cybersecurity and auditing processes, the highest performing organisations have audit committees and boards who actively engage with the internal audit function during the discovery and assessment of these risks.”

The second critical success factor revolves around ensuring there is sufficient integration between risk management and internal audit. “The internal audit function should integrate cybersecurity into its daily activities as well as its annual audit plan”, says Christensen. Companies with at least one of these success factors in place are “significantly more likely” to have a stronger risk posture to combat cyber threats. For example, 91% of organisations with a high level of board engagement in information security risks have a cybersecurity risk strategy in place, compared to 77% of other organisations. Similarly, 83% of companies that include cybersecurity risk in the annual audit plan have a cybersecurity risk policy, versus 53% that do not include cybersecurity risk in their audit plans.

Growing adoption
The study further shows that professionals are increasingly taking note of the best practices in the market, and as a result cybersecurity is across the board gaining increasing strategic attention from internal audit teams. Overall, four out of five organisations now have a cybersecurity risk strategy in place, and three out of four organisations studied include cybersecurity risk in their annual internal audits, a 20% increase year-on-year. Besides the risk & control processes that sit behind the trend, the key driver lifting awareness is according to the authors the preventive function the approach can have.

In terms of governance, in a majority of organisations, the CIO regularly reports to the audit committee on cybersecurity and IT risks, with the numbers markedly higher for top-performing companies.

In the slipstream of the improved focus, organisations seem more confident in the field, illustrated by the fact that the perceived level of cybersecurity risks for nearly all key areas dropped compared to 2015 findings. Brand damage still is the risk with the largest perceived impact, followed by data leakage and data security – in all cases the risk score (10 point scale) has fallen from above 7.5 to under 6.0.

“Cybersecurity has evolved into a strategic business risk”, says Christensen, however, he adds that despite the terrain gained, pundits should keep today’s context in mind. The trend he says is in part a logical consequence of the “widespread communications” about the topic, a development which is likely to “drive many organisations” to create cybersecurity strategies and policies. He highlights that the steps are positive, “but only the first ones if organisations hope to navigate the treacherous waters successfully”.

In fact, results from the survey also find that organisations still have a “long way to go” in their journey, with in particular more maturity required on execution related aspects of cybersecurity. Talent for instance is regarded as a major bottleneck – compared to 2015 results, approximately twice as many respondents this year indicated their organisations are not able to address specific risk areas due to shortcomings in resources/skills. Similar feedback has been received in the area of tooling, highlighting that a more forward-looking approach would benefit the defense of cyberfrontiers, including the likes of strategic workforce planning and an IT strategy on cybersecurity applications. A more holistic view on matters too surfaces as an improvement area. “Cybersecurity is not just an IT issue – it is a business risk requiring a comprehensive approach to manage”, says Christensen. Organisations are advised to stimulate execution throughout the organisation, accompanied by effective communication.

10 recommendations

Based on a synthesis of the findings, Christensen and his team at Protiviti – a global consulting firm specialised in GRC and internal audit – have drafted ten cybersecurity recommendations for executives.

  • Work with management and the board to develop a cybersecurity strategy and policy.
  • Identify and act on opportunities to improve the organisation's ability to identify, assess and mitigate cybersecurity risk to an acceptable level.
  • Recognise that cybersecurity risk is not only external assess and mitigate potential threats that could result from the actions of an employee or business partner.
  • Leverage relationships with the audit committee and board to (a) heighten awareness and knowledge of cyberthreats; and (b) ensure the board remains highly engaged with cybersecurity matters and up to date on the changing nature of cybersecurity risk.
  • Ensure cybersecurity risk is integrated formally into the audit plan.
  • Develop, and keep current, an understanding of how emerging technologies and trends are affecting the company and its cybersecurity risk profile.
  • Evaluate the organisation's cybersecurity program against the NIST Cybersecurity Framework, recognising that because the framework does not reach down to the control level, your cybersecurity programme may require additional evaluations of ISO 27001 and 27002.
  • Seek out opportunities to communicate to management that with regard to cybersecurity, the strongest preventive capability requires a combination of human and technology security — a complementary blend of education, awareness, vigilance and technology tools.
  • Emphasise that cybersecurity monitoring and cyber-incident response should be a top management priority — a clear escalation protocol can help make the case for (and sustain) this priority.
  • Address any IT/audit staffing and resource shortages as well as a lack of supporting technology tools, either of which can impede efforts to manage cybersecurity risk effectively.

“It’s apparent that further work is essential to build out these internal audit capabilities. Companies must take stronger action to set these imperatives into place”, concludes Christensen.


An 8-step framework for banks to prepare for FRTB changes

02 April 2019

With FRTB expected to come into force in 2022, it is critical that banks implementing necessary changes remain on track for their compliance timelines. Whether a company is aiming for the mandatory Standardised Approach (SA) or the voluntary Internal Models Approach (IMA), the programs often represent a significant investment, requiring process, systems and cultural change. 

Drawing from its experience in helping banks meet the milestone set in their compliance timelines, Capco – a management and technology consultancy for the financial services industry – has developed an eight-point prioritisation framework for FRTB preparation and implementation. Natasha Leigh Giles, a Managing Principal at the consultancy, outlines the main dimensions of the framework: 

Prioritisation framework for FRTB

1. Front office operating model

For those who have already implemented the Volcker rule, the desks are well defined with monitoring and governance frameworks. However, for companies that have not been required to adhere to the U.S. regulation, there may be additional work involved in implementing desk-level controls as required under FRTB. The trading desk structure is especially important for banks planning to implement IMA, as this regime is applied at the desk level and requires that the full flow of the selected desk is able to pass the IMA requirements (including the modelability test for the risk factors). Key business decisions may be required if a desk trades complex products that are more aligned for SA treatment. 

2. Product scope

In order to reach the IMA status, products are required to be supported with additional data sets including historical market and reference data as well as risk factor pricing evidence. The opportunity for 2019 lies in refining the assessment on the feasibility of each product type to ensure a clear scope is agreed for the IMA environment. If the challenges are too complex or costly to overcome, such as access to historical market data, availability of price verification for the risk factors or significant enhancements to support computational capacities, then these products should be scoped out of the IMA program as soon as possible in order to save time and effort on continuing analysis. 

3. Client & trading activities

There is no need to wait until the FRTB implementation timeframe to undertake a holistic review of client and trading profitability – including the capital impacts. For example, running training and awareness campaigns within the front office can help the traders to understand the impacts of their activities and encourage changes in the way that they trade. By considering this holistically as a business and operational change, it can help keep the focus and resources on the primary (profitable) business in preparation for the compliance deadline. 

4. Internal controls

Methodology, reporting, auditability, and process governance for internal controls also need to be monitored in detail. We recommend having clearly defined processes accompanied by effective training across front-to-back office. For some banks, it will be beneficial to audit existing capital adequacy processes to ensure that findings are highlighted in advance of the implementation timeline and the appropriate focus is achieved within senior management.

5. Data & metrics

Financial institutions need to consider their overarching governance and ongoing management for the data (including ownership, quality control, golden source storage solutions, etc.) and the ongoing control framework for ensuring the data remains accurate and relevant for capital adequacy modeling. If there has not been a data lineage exercise already applied, this is a great opportunity to deliver business benefit, even in 2019. By creating agreed definitions, preferred sources, ownership and workflows for managing data quality, the benefits of more accurate data can already be applied to existing capital calculation models. 

Framework for FRTB

6. Model management & validation framework

In preparation for the FRTB regime, an opportunity for 2019 is to understand if there are gaps or control concerns to manage immediately. Model enhancements across SA and IMA will need to be productionized for output accuracy and refinement, however, these need to be maintained alongside existing Basel 2.5 BAU models and other concurrent changes e.g. LIBOR Transition. Business process optimization, testing environments and automation tools, documentation and model validation can all be reviewed for immediate benefits and prepare the process for a smooth implementation of the future FRTB models. 

7. Technology platform & testing environments

With regards to technology planning, the opportunity in 2019 is focusing on gaining agreement of the front-to-back FRTB future state architecture including the use of vendors as applicable. By ensuring a disciplined focus upon design and solution definition across all requirements, it provides a clear baseline for implementation planning and scheduling. Establishing a technology architecture which allows for FRTB data feeds, model enhancements, control definitions and accurate capital calculation outputs will provide the program with essential data and metrics needed for decision making. 

8. Leverging synergies

Once a baseline plan has been established, it is possible to identify synergies across other programs – such as the SA-CCR (Standardized Approach for Counterparty Credit Risk) or the IMM (Internal Models Methodology) – that could deliver overlapping benefits at reduced effort. Understanding requirements, defining the future state architecture, and implementing the change in a complex environment requires a mix of strategic principles and program management. Therefore, we consider it an opportunity for 2019 to take a centralized approach for data lineage and requirements gathering as this would be beneficial for optimizing capital costs across both the market and credit risk environment.


By considering each topic strategically in 2019, benefits such as data quality enhancements, strengthened internal controls and flexible test environments will not only bring immediate business value, but also set a solid foundation for a comprehensive FRTB implementation in the years to come. 

For more information on Capco’s model and the its approach in helping banks plan for FRTB, download the full whitepaper on the firm’s website.