What is Internal Audit’s role in Information Security?
This can differ from campus to campus, but typically internal auditors evaluate a wide variety of programs across the organization to determine how all involved processes work and identify possible areas of improvement. In regards to compliance with different information security and privacy standards, the goal for the audit is to answer the following question: “Can internal audit provide reasonable assurance that our organization is compliant with ________?” Fill in the blank with any cybersecurity standard – PCI DSS, GDPR, GLBA, HIPAA, etc.
A large part of an Internal Auditor’s job is to keep current with regulatory standards, and ensure the executive level team is aware of any potential regulatory violations that could result in significant fines or losses. Auditors are typically not experts in each standard, but will have a broad understanding of different regulatory requirements and their related threats, both internal and external, and can help identify and prioritize any emerging risks.
Once tasked with auditing against a specific compliance initiative, IT Auditors will begin by researching the regulation to understand exactly what is required of their organization. Then they start the audit by identifying all locations that store, process, or handle relevant data. They plan well in advance to ensure they have access to all relevant documents, reports, information, and staff members during the assigned audit timeframe, and make the included teams aware of their expected involvement. Auditors may also ask for data flow diagrams to help them understand where the information is flowing (e.g. which network components are involved, etc.) and what security controls are currently in place.
They perform a thorough review of the compliance program designed to verify whether the organization has implemented the appropriate IT controls, and document any gaps or weaknesses discovered. An audit will often include detailed documentation reviews, checking for validity, accuracy, and completeness. A large portion of the audit is spent conducting interviews with both managers and staff to determine what is actually happening in their day to day operations, and comparing that to what is outlined in organizational policies. It is not enough to have documented policies, those policies must be carried out across the organization. Testing for execution of procedures by staff is a critical component of any audit.
IT Auditors may test processes like account authorizations, account reviews, and segregation of duties, as well as assess the physical security of each location. They will analyze processes that have been put in place to identify and log potential incidents or breaches. For example, how timely are response efforts – how quickly does the assigned team act on information or alerts from security logs or monitoring systems? Once vulnerability scans are run, how soon are critical findings addressed? How fast can necessary changes or updates be made? Has a risk assessment been performed? Has the incident response plan been tested and were the results of that test adequately evaluated and improved upon?
An Information Security audit should address three different layers of a compliance program:
- Is the organization’s Board or Leadership Committee providing adequate compliance oversight?
- Has management designed and implemented appropriate security and business controls?
- Are front-line employees following process and executing those defined controls in their day to day operations?
After gathering the necessary evidence to answer these questions, the internal audit team will evaluate the likelihood of unauthorized access, rank the severity of any identified risks, and provide recommendations for improvement. The final report should clearly outline existing gaps, provide a background of the problem and the associated risks, and define remediation efforts and available solutions. There may be recommendations for how the organization can limit the amount of data that is being collected, or areas where access can be restricted more efficiently. They may also make recommendations regarding available resources, adequate staffing, or if additional support is needed.
Internal audit cam play a key role in engaging and encouraging executive leadership to focus on comprehensive information security and data protection. They may be able to bring more attention to a project or expedite things that were moving more slowly before their review. For example, that “outside” voice can improve user compliance with information security policies and procedures, or increase participation in training.
When Radford University first embarked on the journey towards PCI compliance, staff from Audit and Advisory Services were included from the start. The University had dedicated time and resources towards researching methods and processes other institutions had implemented to document compliance, and quickly realized that there were many paths that could be taken and that their approach needed to be tailored to Radford’s individual situation. They saw immediately the value and benefits the Audit and Advisory staff would bring to the endeavor. The Information Technology Auditor for Radford was able to help bridge communications between CampusGuard, their QSA consultant, and the Information Technology and Finance divisions. The Auditor was able to interpret the PCI DSS standard from a technical standpoint and tie it directly to how the institution operated. The Auditor, while inside the institution, was able to bring in an outside perspective, which was extremely valuable as the team worked through processes and data flows and determined strategies to reduce scope and achieve compliance.
We also spoke recently with Kim Stansell, the PCI Compliance Program Coordinator for Vanderbilt University, as her team has a close working relationship with Vanderbilt’s Office of Audit, Risk, and Advisory Services (ARAS). They have partnered on various compliance initiatives, including providing in- person training seminars to the different departments on campus that are not directly processing credit cards. By holding cross-departmental training sessions for a broader university audience that includes topics like internet security, tax, and the financial aspect of merchant accounts, they are able to bring PCI Compliance into the discussion with the intent to continually increase their overall institutional PCI Compliance knowledge. Their shared goal is to train and re-train staff until PCI Compliance is second nature.
“The auditors at Vanderbilt have been an excellent resource and partner as we work to maintain our compliance with the PCI DSS. As we see too often, organizations can be compliant one minute, and then fall victim to a significant data breach the next. We value our partnership and the role ARAS plays in helping us evaluate the overall effectiveness of internal controls,” shared Stansell.
Doug Horr is the Associate Vice Chancellor for Audit, Risk, and Advisory Services at VU and echoed Stansell’s thoughts, “Establishing and maintaining open communications with our information security and compliance teams allows us to be proactive and help establish sound controls on the front end of compliance processes, as well as be able to react quickly to mitigate unusual risks that may arise.”
At some institutions, unfortunately, the relationship between IT/Security and Internal Audit can be somewhat strained due to the very nature of their roles; the IT team is working hard every day to keep the environment secure yet the audit team, in order to do their job, must question what is being done. In some instances, IT may feel that the auditors lack the background and technical knowledge necessary to make recommendations, and will disagree or become defensive when discussing the results of the audit report. Successful organizations are those that see the benefit to a more collaborative relationship, where IT designs and implements technologies and procedures that protect organizational data, and Internal Audit provides a secondary review regarding the effectiveness of those efforts. This continuous improvement feedback loop facilitates the sharing of information freely, and in turn, creates a more effective compliance program.
Including Internal Audit within your PCI team can prove invaluable. At Radford University, as policies and procedures were being finalized, the team formally adopted what is known as the PCI Compliance Steering Committee. This committee serves in an advisory capacity to the Associate Vice President for Finance and University Controller in guiding and monitoring the University’s cardholder data environment and overall compliance with the PCI DSS. To formalize role and function of this committee a charter was created, as well as membership moving forward. It was in the University’s best interest to continue involving staff members from the Division of Finance and Administration, the Division of Information Technology, and the Office of Audit and Advisory Services, to work together collectively.
“We are very fortunate to have an Audit and Advisory team that not only audits, but advises. Their guidance and recommendations are greatly valued. They understand our available resources and strive to recommend processes that are complaint while not creating an additional administrative burden,” shared Stephanie Jennelle, Associate VP for Finance and Radford University Controller.
Auditors often bring a different and important perspective to a project. Their outside experience and independent, objective analysis can help organizations more effectively manage ongoing compliance efforts against a specific standard. They should be seen as partners with the same end goal – working together to build stronger risk management and data governance systems.
Are you including your internal auditors within your compliance committees and teams?
Some additional guidance from the Security Advisor Team below:
[Campbell]: Up until a few years ago it was less common to see institutions directly involving their internal auditors as official members of a PCI Team or other compliance/security initiatives, such as GLBA or HIPAA. There were certainly some isolated cases, as discussed in the article above, but most campuses either involved auditors only on an ad-hoc basis, or not at all. While I still encounter institutions operating in that “classic” model, now we often find internal auditors as part of PCI and other compliance teams, and active participants from day one of engagements. In some cases we have even worked primarily with campus internal audit, as their expert resource to supplement their audit expertise with subject matter knowledge.
No matter the variant, this trend towards active collaboration and partnership with internal audit is a good thing. As noted above, everyone working for a given institution has the same goal. Everyone brings different skills and viewpoints to the discussion, and missing out on the skills and viewpoint that auditors bring is like disconnecting one of the spark plugs on your car. The engine will still run, but not at peak efficiency