Cyber is now in the audit
Cyber was once the preserve of a specialist team, set apart from the everyday work of assurance. But across regulated markets, the authorities that set oversight expectations have stopped treating cyber as a standalone technical discipline. Cyber resilience is increasingly built into the broader frameworks that govern how firms, and the delegated and outsourced arrangements they depend on, are assessed and held to account.
Auditors that review core business processes are now expected to form a credible, defensible view on cyber, often well beyond the depth the remit was built for. That view also carries further than it used to. A board declaring the effectiveness of its material controls, a senior manager evidencing the reasonable steps they took, and a firm answerable for the cyber resilience of the arrangements it has delegated or outsourced are each relying in part on what assurance concluded about cyber.
Forming a view on whether a cyber control is adequately designed and reliably operating, and whether the evidence would survive challenge, is a judgement call that rests on a depth of cyber risk governance experience, and that judgement has to hold up when it is itself tested. The question, for an audit firm or an internal audit function, is how to bring that experienced judgement to bear without building a dedicated cyber practice to house it.