Cyber is now in the audit

Cyber was once the preserve of a specialist team, set apart from the everyday work of assurance. But across regulated markets, the authorities that set oversight expectations have stopped treating cyber as a standalone technical discipline. Cyber resilience is increasingly built into the broader frameworks that govern how firms, and the delegated and outsourced arrangements they depend on, are assessed and held to account.

Auditors that review core business processes are now expected to form a credible, defensible view on cyber, often well beyond the depth the remit was built for. That view also carries further than it used to. A board declaring the effectiveness of its material controls, a senior manager evidencing the reasonable steps they took, and a firm answerable for the cyber resilience of the arrangements it has delegated or outsourced are each relying in part on what assurance concluded about cyber.

Forming a view on whether a cyber control is adequately designed and reliably operating, and whether the evidence would survive challenge, is a judgement call that rests on a depth of cyber risk governance experience, and that judgement has to hold up when it is itself tested. The question, for an audit firm or an internal audit function, is how to bring that experienced judgement to bear without building a dedicated cyber practice to house it.

Equip your own teams

Ordonis equips your auditors and assessors to reach a defensible view of cyber risk, fitted to the process you already run, so the opinion stays your own.

An engagement leaves your team with a defined standard for cyber evidence and the judgement to apply it, so the conclusion holds when it is itself tested.

For any one firm, Ordonis acts for one constituency only, the board, the management that produces its reporting, or its assurance provider, and never more than one.

Ordonis is the advisory practice of Anthony Hines. If your audits are being asked to reach further into cyber than your remit was built for, start a conversation.