IS Audit Basics: Providing Audit Committee Guidance

It has been largely overshadowed by the EU General Data Protection Regulation (GDPR), but the Directive on Security of Network and Information Systems (NIS Directive) has been transposed into law in many European countries. The NIS Directive is the first EU-wide legislation on cybersecurity. The objective of the directive is to achieve a uniformly high level of security of network and information systems across the European Union, through:

  • Improved cybersecurity capabilities at the national level
  • Increased EU-level cooperation
  • Risk management and incident reporting obligations for operators of essential services and digital service providers

Essential services are defined as energy, transport, banking, financial market infrastructures, healthcare, water and digital infrastructure (e.g., top-level domain name registries). Digital service providers are defined as online marketplaces, cloud computing services and search engines.

However, despite the transposition of the directive, there is no requirement for the board members of the operators of essential services or digital service providers to have IT or cybersecurity experience. So what is to be done? Indeed, what can be done for any enterprise where the IT-related risk factors are significant, but the board’s experience maybe lacking? I believe it is incumbent on IT audit to educate or, at least, to offer to educate the board in this regard.

Provide an Overview of IT Risk

IT risk can be categorized as:

  • IT benefit/value enablement risk—Associated with missed opportunities to use technology to improve efficiency or effectiveness of business processes or as an enabler for new business initiatives
  • IT program and project delivery risk—Associated with the contribution of IT to new or improved business solutions, usually in the form of projects and programs as part of investment portfolios
  • IT operations and service delivery risk—Associated with all aspects of the business as usual performance of IT systems and services, which can bring destruction or reduction of value to the enterprise

<a rel="noopener noreferrer" href="https://www.isaca.org/Journal/archives/2019/Volume-5/Pages/providing-audit-committee-guidance.aspx" class="btn-primary btn btn-v1" target="_blank">Learn More</a>