Auditor Evaluation and Reporting on Cybersecurity Risks

Auditor Evaluation and Reporting on Cybersecurity Risks

Jeffrey S. Zanzig, Guillermo A. Francia III
Copyright: © 2022 |Pages: 20
DOI: 10.4018/978-1-6684-3698-1.ch002
(Individual Chapters)
No Current Special Offers


Tremendous improvements in information networking capabilities have brought with them increased security risks resulting from the deterioration of the ability of a physical layer of computer security to protect an organization's information system. As a result, audit committees have had to deal with new security issues as well as the need to understand the cyber perpetrator and ensure the proper training of employees to consider cybersecurity risks. Standard setters including the Institute of Internal Auditors and the American Institute of Certified Public Accountants have issued guidance about lines of defense and reporting on an entity's cybersecurity risk management program and controls, respectively. Each of these topics is considered along with how cybersecurity guidance from COBIT, the National Institute of Standards and Technology, and the Center for Internet Security can be mapped into five cyber infrastructure domains to provide an approach to evaluate a system of cybersecurity.
Chapter Preview


A primary focus of an audit committee is to provide an independent oversight function to ensure that the processing and storage of information is performed in a secure and reliable manner to meet the needs of information users. Although the birth of the Internet and extensive networking capabilities has substantially increased the ability of organizations to process and disseminate information, it has also opened the door to allow greater access to information systems by unauthorized and many times malicious intruders. It is certainly a difficult task to address these security issues due to the constantly changing availability of technology that is both within and outside of an organization’s control. This section discusses challenges faced by audit committees as a result of cybersecurity issues. It also considers common profiles of the cyber perpetrator and how noncompliance with information security policy by well-meaning organizational personnel can allow unauthorized access into an organization’s information system.

Complete Chapter List

Search this Book: