Only 70% of Large-Company Internal Audits Assess Cyber Risks

Nov. 29, 2023

New data from Jefferson Wells suggests internal auditors are realizing the importance of cybersecurity, but their ways of improving their approach vary.

Cybersecurity continues to be a top priority for finance teams, and within internal audit teams, data security and threats to data integrity have become significant concerns.

According to Jefferson Wells’ 2023 Internal Audit Priorities Annual Survey Report, internal audit teams are more worried about cybersecurity than anything else. However, their actions in response are not uniform or focused on one area.

The new data from Jefferson Wells shows that only four in 10 companies (40%) with less than $1 billion in revenue addressed cybersecurity in their latest technological risk assessments. For larger companies, the likelihood of assessment was higher at just under three-quarters (70%).

Risk Audit Focus
As the means of cybersecurity and data protection become increasingly complex, internal audit leaders’ focus seems to be spread across various areas. Parts of cybersecurity with a more proactive approach seem to get the most traction, according to the survey.

Over half of internal auditors said threat and vulnerability management (54%) and identity access and management (51%) are part of their technology risk assessment approaches. Just under half (47%) have added cloud computing risk assessments, data governance and privacy compliance (46%), and ransomware protection (42%).

Efforts to combat ransomware are also a focus for audit teams, especially over the past year. About half (54%) of auditors said they have reviewed a ransomware attack response plan, and 51% said they assessed backup and data storage security. Those numbers are up 16% and 14%, respectively, from 2022.

To find weak spots in their data systems, internal audit leaders continue to coach employees on how to respond to threats like phishing attacks and run controlled simulations of data manipulation and theft.

Areas of focus in these tests include password policies (51%), data loss prevention (43%), malware detection (42%), phishing (37%), intrusion detection (36%), and social engineering (25%). While larger companies have more resources to combat these kinds of breaches, they are focusing on data loss, malware, and network penetration and intrusion moving forward, according to the survey.

Finding Talent
Without talent, internal audit teams may struggle to perform their duties, let alone approach complex topics like cybersecurity. Like accountants, CFOs, and other corporate finance positions, internal auditors said finding and retaining quality talent is an ongoing challenge.

Access to a technical skill set in the labor market was the biggest challenge for internal audit in 2023, according to the survey. Other concerns about talent included the quality of the labor market (38%), compensation requirements (38%), flexible work demands (35%), and competition (35%).

Finance teams may be willing to pay more for talent if difficulties in accessing quality labor continue. According to the Jefferson Wells survey results, this shouldn’t be an issue for many teams, as only 25% of respondents indicated a lack of budget concerning talent.

[CFO.com]