Test Blog Headline

Originally appeared in the August 2023 issue of Internal Auditor magazine. Reposted with permission of The Institute of Internal Auditors.

It has become abundantly clear over the past couple of years that the breadth of topics that fall under the environmental, social, and governance (ESG) umbrella is expansive. Here are just a few of the many areas that are included under each ESG pillar:

Environmental (E)—The myriad of topics included under the “E” pillar include climate change (generally viewed as global warming), water use and accessibility to clean water, waste and pollution reduction, land use and biodiversity, and resource depletion.  

Social (S)—The “S” in ESG is generally defined as an organization’s operational impact on society and how organizations are promoting social diversity and inclusion with a focus on diversity, equity, and inclusion (DEI), employee well-being, and community engagement. 

Governance (G)—The “G” encompasses factors such as board and management composition, corporate structure, business ethics and anti-corruption. This includes company policies, standards, information disclosures, and auditing and compliance issues.

A topic that seems to be flying below the ESG radar for many organizations, yet should be a top consideration, is cybersecurity. Organizations battle many cyber-related threats that tie directly back to ESG, including data breaches, ransomware attacks, and more. Failure to manage those threats effectively can create exposures to the organization such as the loss of critical assets ranging from employees’ personal information to customers’ and other stakeholders’ private information. These types of cyber incidents are typically viewed in the social and governance pillars of ESG, and can lead to customers, employees, and third parties losing trust in an organization. Ultimately, this can cause significant harm to the organization’s reputation and financial stability.

With websites becoming more sophisticated at capturing user data along with the emergence of artificial intelligence, machine learning, and robotic process automation, the stakes are rising for cybersecurity teams as they battle to protect data assets of all types.

Cybersecurity collaboration

With evolving ESG regulations and new cybersecurity threats emerging at a relentless pace, internal auditors have a wonderful opportunity to add value by working closely with the cybersecurity team to proactively identify emerging cyber threats and implement mitigation strategies.

Internal auditors should keep in mind a few considerations as they venture into what may be unfamiliar territory:

• Offer a strategic perspective: Internal audit should work to address cyber threats consistently across the organization and avoid siloed approaches. It should collaborate with other teams that might have relevant information or perspectives.
• Maintain independence: While internal audit does focus on providing assurance services, advisory services are allowable and even encouraged, but be mindful to not take on the role of management by making decisions or “doing the work.”
• Be nimble: The rapid evolution of cybersecurity threats means an agile approach is crucial. This will enable your internal audit team to provide insights while they are still relevant.
• Provide coordinated and consistent risk information: Internal audit should share timely risk information with management and the board to enable quick and decisive action. Internal audit needs to provide its independent assessments, however, by working with the cybersecurity team, internal audit can avoid confusing or conflicting information that undermines confidence by the board and management

Engaging with cybersecurity allies

Building strong relationships is nothing new for internal auditors, but the importance of collaboration across teams when it comes to cybersecurity cannot be understated. Auditors need to work closely with all parties involved, especially their organization’s chief information security officer (CISO). The IIA provides guidance on getting started developing those critical relationships:

• GTAG: Auditing Cybersecurity Operations: Prevention and Detection provides guidance on how internal auditors can examine and prioritize assurance over cybersecurity operations. It aims to help internal auditors understand and audit cybersecurity operations across their organizations.
• Global Knowledge Brief: Cybersecurity Part 2 - Critical Partners—Internal Audit and the CISO addresses the importance of internal audit developing a strong relationship with the CISO and makes a strong case for the benefits of creating a healthy relationship for effective assurance that doesn’t jeopardize internal audit’s independence.

With cybersecurity being a key element of an organization’s governance structure as well as being foundational for an effective data privacy program, now is the time for internal audit teams to secure a seat at the table. By ensuring cybersecurity threats are properly reflected in your organization’s ESG program and continuously working to understand and mitigate cybersecurity threats, you can help protect your organization and maximize your impact.