Internal Information Security Auditing ÔÇô Not just another Check Box!

When it comes to information security domain, Internal Auditing plays an extremely important role for an organization of any scale - be it big or small. Internal Auditing not only helps in highlighting the security risks but also helps in ensuring that security controls in place are up to date, adequate and are continually pursued. Cyber Attacks have now become most common & biggest problems of our times due to the expansion of technology and nature of data being dealt in organizations. Any compromise with the data can cost an organization not only money but its reputation and stability in the market.
Considering Cybersecurity as the need of the hour, companies have made sure to have strongest possible defense mechanism at the enterprise level; this is achieved by introducing multiple security policies, procedures and deploying various security tools to safeguard the different infrastructure and network layers from cyber-attacks. 
Nonetheless, the challenge is to ensure that our defense mechanism stays as resilient and as strong as it was when initially deployed. One cannot assert that established policies and procedures are sound, adequate and consistent until one gets them verified on a regular basis. This is where internal audit plays a substantial role within an organization. It makes sure that all the additional security controls are not dummy placeholders, but are doing what they are supposed to do. We should not wait for a real cyber-attack to get into the drill.

Audit & IT Business Teams

The audit has always been considered daunting task upon the associated business/IT teams at the beginning of every financial year. Also, it has been taken as an overhead activity which intrudes personnel’s daily work and exposes’ the weaknesses in the current level of compliance. Even though security business teams and internal audit are two different teams - both are driven fundamentally by ultimate purpose, which is to protect the organization from cyber threat and attacks. It’s just, one team - focuses more on the implementation of security control, the creation of policies & procedure and later focuses on ensuring that all the security control, policies, and procedures are strong enough and are being followed consistently within the expected framework.
Internal audits should not be seen as an activity of cross-questioning; it should be considered as proactive self-assessment to achieve the continuous improvement. Internal audits play an important role in overcoming any shortcomings in our current defense mechanism. This proactive self-assessment not only strengthens and improves the current organization’s security standards but also prepares business teams for the external or in some cases federal audits. Internal audit also reduces last minute strain and stress of the external assessments.
To make most out of internal audit and to have a minimum disruption in the business team’s daily activities - Internal Auditing should be performed iteratively without fail. It ensures that the associate is aligned with the process and clarifies the scope. Also, it helps in continual improvement and makes sure that the identified shortcomings in last audit cycle are fixed or actioned while moving ahead with the process. A key aspect of the iterative internal audit process is to verify that all the finding are formally documented and communicated to broader stakeholders.
The scope of the audit should be briefed to the business teams at the very beginning. Then, Auditor should collect all the documentation and reports around, in-scope policies and procedure that are being followed, as an initial step.  
Based on the documentation and reports latest evidence is collected to check whether policies and procedures are being followed. This forms the basis to provide a feedback on the current security strategy and also give inputs to make it better and consistent.


To conclude, below are few points to consider regarding internal Audits.
  • First and foremost every organization should have established policies, procedure, and standard to identify the level of risk against.
  • Internal audit outcomes should be considered as a measure of the current status of the compliance. Steps should be taken to close the gaps identified before the external audit takes place.
  • The scope of auditing should be well defined and should be communicated to all affected teams in order to make the process smooth, collaborative and more fruitful.
  • Fore coming audits should also capture the areas which were not covered under previous audit assessments along with the sections which were considered weak last time.

Authored By - Anusha Sharma
TCS Enterprise Security and Risk Management

Rate this article: 
Average: 1.8 (5 votes)
Article category: 

There are 2 Comments