Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

20) Does your organisation have an internal audit function that ensures information security requirements are being met by the business?

August 30, 2022
Security Governance
Internal Audit

Answer yes if you have an internal team who audit your security function against your policies to ensure compliance. Please comment on the frequency of the audits in the notes.

What is it?

The goal of an internal audit function is to ensure that the IT and Information Security policies and processes that you have defined are actually implemented in practice and that the controls are effective. The audit function routinely audits operations to make sure the outcomes are as expected.

Why should I have it?

Having an internal audit function provides more objective visibility into operations, the state of your organisation’s environment, and the effectiveness of your policies and processes.

Without an internal audit function, IT and Information Security departments essentially police themselves and can lack accountability. This in turn can lead to poor results, misleading reporting, and a false sense of assurance.

Having this function helps reassure company leadership, clients, and partners alike that your security is reviewed and that its implementation and efficacy is validated, rather than only existing on paper.

How to implement the control

Internal audit is primarily a business function. It should systematically review policies and processes, ensure that they are adequate, and then confirm that they are being performed, effectively, and consistently.

The function should routinely monitor outcomes and request evidence that processes are being followed. It must also have a level of autonomy and authority that allows it to request visibility into any part of the organisation with little to no delay and in such a way that information can’t be withheld or obscured.

Finally, the internal audit function should be free of any interference or conflict of interest with the IT organisation and report directly to an Audit and Risk committee that holds the executive committee accountable.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.