Updating Internal Audit Controls

Organizations select internal controls to protect their assets. The assets can vary from data to network equipment to personnel. These have one thing in common; they provide value to the organization. A control, therefore, must address a vulnerability and mitigate risk to an asset.

New vulnerabilities are being found and reported almost daily. These new findings are listed on the Common Vulnerabilities and Exposures (CVE) and National Vulnerability Database (NVD) websites. A new vulnerability, theoretically, can reduce the effectiveness of an existing control. An organization will not know this unless it regularly reviews and updates its internal audit controls.

The Audit Control Change Process

Changing or updating audit controls must follow a defined and approved process. This is necessary for several reasons.

• Auditors and auditees must know what is being audited and why.
• Auditors and auditees must know what constitutes successful compliance.
• Control failures may result in financial loss.
• Control failures may result in legal problems.

Organizations should have an audit control change process to ensure that changes are approved and effectively communicated to the organization. If not, changes may or may not occur, which leaves asset protection in jeopardy.

Understand the Framework

Audit control frameworks differ in purpose and applicability. The PCI-DSS Framework, for example, is considered an industry standard and applies to all entities involved in payment card processing. Organizations are not allowed to change any of the provided controls but may add controls as needed.

NIST frameworks, on the other hand, vary according to industry or purpose. The frameworks are a collection of recommended best practices and are voluntary. This means that an organization can choose controls according to applicability and may change the control's wording.

Understanding any framework restrictions will let organizations know whether they can change or update internal audit controls. Even restrictive frameworks like PCI-DSS allow for additional controls to be added. Therefore, it is possible to modify or add a new control to address a new vulnerability.

Monitor New Vulnerabilities

Monitoring for new vulnerabilities should be a primary task and performed daily. This is necessary because conventional cybersecurity wisdom is that hackers view the CVE and NVD websites to find new ways of infiltrating networks. For them, it is often easier to use a known vulnerability that has not been mitigated or fixed rather than continuing to create network noise or log alerts.

In addition to the CVE and NVD websites, there are other sources of vulnerability information. Company websites, forums, and blogs may provide vulnerability information. This information is important because, once the data has been posted on the internet, it may be a race between hackers and defenders to achieve their respective goals.

Vulnerability and Control Verification

Once a vulnerability has been identified, it must be verified. This is a two-person process where the IT Audit Department provides vulnerability and control information to the production staff. The staff will then compare the two, determine applicability, and provide a positive or negative response to audit management.

A positive response means that the vulnerability applies to the organization, and the control must be changed. This is the responsibility of audit management with inputs from production. A negative response means that the vulnerability does not apply and can be logged or retained for informational purposes.

Audit Control Change Committee

Audit internal control changes may require the use of a committee. This group can meet and review vulnerabilities together rather than passing around emails or attachments. The group can also create the changes to be made to the control after verification. Overall, a committee can ensure that the appropriate company personnel is represented and notified of new vulnerabilities.

Cybrary provides online training courses in information technology and cybersecurity. These courses cover a myriad of subjects, from project management to penetration testing to auditing.