A new whitepaper by PricewaterhouseCoopers discusses how internal audits can bolster security and forestall network breaches.
A strong internal audit can be the difference between
catching a security failure and spending weeks and months doing a forensic
investigation of a breach.
With this in mind, professional services firm
PricewaterhouseCoopers (PwC) released
outlining how internal audits have become a key pillar
of security strategies in the age of data breaches and what companies can do to
overcome some common hurdles to audit effectiveness.
"Internal audit departments need strong governance,
which leads to respect, credibility and visibility," said Carolyn
Holcomb, leader of PwC's Risk Assurance Data Protection and Privacy
practice."If they don't have the right visibility or governance, they're
just not heard and unfortunately, this happens frequently."
Even with compliance regulations in place, most companies
tend to do the minimum, so strong governance is important to make sure the
regulations are effective at providing a level of security, she said.
In the whitepaper, the firm details a number of pitfalls
audit efforts can face, such as the belief that adequate security measures are
already in place or audits can be undercut by fragmented responsibility for
According to Holcomb, PwC is seeing a trend where companies
are forming risk committees at the board level so that the committee can assess
and understand the privacy and information security risks of the organization.
Many businesses are looking externally for these individuals because they aren't
often found serving as board members, she said.
"Because information security and privacy can often be technical, individuals without
experience in this area may not understand it," she said. "As a
result, the auditors of information security and privacy may be communicating
risks and concerns, but to senior management or boards who don't fully understand
and appreciate the risks."
In addition, she said, boards need to be more educated about the hacks their
management teams are detecting and preventing to improve their understanding of
the threat level. "Increased governance and visibility for the information
security and privacy professionals within organizations and increased
communication with the board can increase this education and awareness,"
This board-level support for audits is very important, she
said, and roles and responsibilities for privacy and security with the
management need to be defined. It is also important that the audit highlight
and assess the organization's significant data security and privacy risks and
include any information about threats that may be on the horizon when it is
presented to the audit committee, the firm noted in the paper.
"No matter how strong a company's data security policies and
controls are, a company won't really know the adequacy of its defense if it
doesn't continually verify that those defenses are sound, uncompromised and
applied in a consistent manner," said Jason Pett
, PwC's U.S. internal audit services leader,
in a statement.
"Internal audit has to play a far more substantial role in
information security, and audit committees must also increase their attention
on the increasing risk, heightening the expectations they place on internal
audit to place adequate focus on data security and privacy concerns," Pett's