How internal audit increases cybersecurity transparency for the board


Authored by RSM Canada

Cybersecurity and data privacy issues continue to make headlines, and the risks surrounding them are only increasing. The demands on chief information security officers and chief technology officers expand as data moves from in-house systems to cloud computing, mobile devices, remote work setups, and new technologies including artificial intelligence and robotic process automation. As security and privacy risks increase, a disconnect between security personnel and the board could leave the organization more vulnerable.

To avoid this disconnect, the board should make a concerted effort to maintain an accurate picture of the risk profile of the organization and the strength of its cybersecurity program. Despite the intricacies of managing emerging technologies, security and privacy risks, and compliance requirements, executives’ confidence in their cybersecurity programs remains high. In RSM US’ Cybersecurity Special Report, 93 percent of C-suite respondents expressed confidence that current safeguards protect their organizations’ data. Considering the increased disruption, threats, and compliance burdens, boards should reevaluate their confidence levels and ensure that management’s perceptions of security remain realistic. 

An incomplete picture of enterprise risks

To make data actionable, board members are often presented with high-level summaries that provide snapshots but may not capture the true nature, extent, and urgency of security, privacy, and compliance risks. Filtering the information in this way may dilute the perception of their severity. Thus, boards are making decisions without an accurate and complete picture of the risk profile.

A lack of security resources also may result in an incomplete picture of security and privacy risks for the board, caused by, and in turn causing, reduced communication with security personnel. As the demand for cybersecurity resources outpaces supply, and as cyber risks grow in number and become more severe, even organizations with standard security resources may not have a direct line of communication with the decision-makers. Furthermore, a lack of trust exacerbates this information gap between technology personnel and the board.

How internal audit can help

The internal audit committee can play a key role in overseeing security, privacy, and compliance by offering an effective approach to identifying, communicating, and managing risks. Internal audit’s mission is to enhance and protect organizational value by providing risk-based guidance. Internal audit can partner with cybersecurity teams to sponsor in-depth assessments that enhance visibility of cybersecurity risks.

Moreover, while cybersecurity teams may not frequently interact with the board, internal audit often has a direct line of communication to directors. Connecting cybersecurity with internal audit can better elevate risks to executives and the board, reduce information filtering, and promote improved collaboration. 

Three key takeaways for board members

  1. Board members may ask management to perform a cybersecurity assessment, but such requests are often ambiguous. Cybersecurity or information technology (IT) professionals may interpret these requests without fully understanding the board’s intent, resulting in assessments that do not provide the visibility the board had anticipated. If possible, correlate the request to specific concerns (e.g., ransomware or overall program maturity).
  2. Ask internal audit to participate in the cybersecurity assessment(s). Getting internal audit involved will allow for greater transparency of the findings while providing a path to fully communicate the cyber risks to the board.
  3. Ensure that there is a cybersecurity steering committee that meets on a regular basis to discuss cyber risks. This committee should determine how and when to present to the board. Involving business units and functions outside of IT and cybersecurity in this committee will facilitate broader discussions, help articulate the business impact of cyber risks, and tie cyber risks to enterprise risk management strategies.  

Previously featured in the July/August 2021 issue of Directory Advisory.

Let's Talk!

Call us at 905.415.2511 (Markham) or 705.727.0763 (Barrie) or fill out the form below and we'll contact you to discuss your specific situation.

  • Topic Name:
  • Should be Empty:

RSM Canada Alliance provides its members with access to resources of RSM Canada Operations ULC, RSM Canada LLP and certain of their affiliates (“RSM Canada”). RSM Canada Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM Canada. RSM Canada LLP is the Canadian member firm of RSM International, a global network of independent audit, tax and consulting firms. Members of RSM Canada Alliance have access to RSM International resources through RSM Canada but are not member firms of RSM International. Visit for more information regarding RSM Canada and RSM International. The RSM trademark is used under license by RSM Canada. RSM Canada Alliance products and services are proprietary to RSM Canada.

NVS is a proud member of the RSM Canada Alliance, a premier affiliation of independent accounting and consulting firms across North America. RSM Canada Alliance provides our firm with access to resources of RSM, the leading provider of audit, tax and consulting services focused on the middle market. RSM Canada LLP is a licensed CPA firm and the Canadian member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.

Our membership in RSM Canada Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise, and technical resources.

For more information on how NVS can assist you, please call us at 905.415.2511 (Markham) or 705.727.0763 (Barrie).