We're building the future of Supply Chain Security. View Roles

20) Does your organisation have an internal audit function that ensures information security requirements are being met by the business?

August 31, 2022 Security Governance Internal Audit

Answer yes if you have an internal team who audit your security function against your policies to ensure compliance. Please comment on the frequency of the audits in the notes.

What is it?

The goal of an internal audit function is to ensure that the IT and Information Security policies and processes that you have defined are actually implemented in practice and that the controls are effective. The audit function routinely audits operations to make sure the outcomes are as expected.

Why should I have it?

Having an internal audit function provides more objective visibility into operations, the state of your organisation’s environment, and the effectiveness of your policies and processes.

Without an internal audit function, IT and Information Security departments essentially police themselves and can lack accountability. This in turn can lead to poor results, misleading reporting, and a false sense of assurance.

Having this function helps reassure company leadership, clients, and partners alike that your security is reviewed and that its implementation and efficacy is validated, rather than only existing on paper.

How to implement the control:

Internal audit is primarily a business function. It should systematically review policies and processes, ensure that they are adequate, and then confirm that they are being performed, effectively, and consistently.

The function should routinely monitor outcomes and request evidence that processes are being followed. It must also have a level of autonomy and authority that allows it to request visibility into any part of the organisation with little to no delay and in such a way that information can’t be withheld or obscured.

Finally, the internal audit function should be free of any interference or conflict of interest with the IT organisation and report directly to an Audit and Risk committee that holds the executive committee accountable.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Leave a public comment

Please do not submit your answer on the knowledge base.