Leveling Up the CISO & CAE Partnership

Leveling Up the CISO & CAE Partnership

The conversation around cybersecurity has taken on a new direction that feels like history repeating itself. Just as the decision to hold CEOs and CFOs personally liable for misstated financial reports under the SOX Act had a profound impact, CISOs may soon face similar liability for security breaches. The SEC has already set a precedent by charging the CISO from SolarWinds with violations related to the anti-fraud provisions in the Securities Acts of 1933 and 1934. In this case, the SEC alleges that the CISO ignored red flags and known internal control weaknesses, leading to a major data breach. 

After SOX was enacted, CEOs and CFOs leaned heavily on the work done by internal auditors to stay ahead of major control deficiencies through regular testing. CISOs can likewise leverage the risk and control expertise of the internal audit team to supplement and test the control processes implemented by the information security team

This article makes the case for why now is the time for InfoSec and Internal Audit to join forces and highlights four areas where partnership between CISOs and CAEs should bring the most benefit. 

4 Ways CISOs Can Partner With Internal Audit to Advance the Control Environment

The pace of regulatory compliance changes over the past year has been unprecedented, with new SEC Cyber Disclosure Requirements, PCI updates, and ever-changing data privacy regulations. At the same time, technology, artificial intelligence, and governance issues continue to evolve. These rapid changes and the challenge of dealing with limited resources are straining many information security teams, making it even more crucial to collaborate with internal audit teams. 

Internal auditors are well-versed in auditing against new requirements using a risk-based approach to focus on the most critical areas first. CISOs may not know they can call on the internal auditors to assist with compliance and control testing. Likewise, auditors know that technology, cybersecurity, and compliance are high-risk areas for any organization, but they may need to learn the specific areas where the CISO could use assistance. 

By opening communication lines between these two groups, the CISO and CAE can collaborate to improve the control environment in one of the highest-risk areas. 

Decode the New SEC Cybersecurity Disclosure Ruling

1. Document information security controls 

InfoSec teams understand the threats to the organization and work tirelessly to prevent those risks from materializing, but they need more time and expertise to formalize and document the controls they implement. From implementing and testing SOX controls, internal auditors learned the importance of creating process narratives, flowcharts, and risk and control matrices (RCMs) for financial processes. 

CISOs now face a similar requirement – they must show how their teams control cyber risks so that others can understand and test independently. CAEs also need formal process and control documentation to focus their team’s efforts on areas with the highest risk exposure. Working together can produce high-quality documentation vetted by the InfoSec team that the CISO can use to ensure no control gaps.

2. Facilitate IT risk assessments

Internal Audit will produce IT risk assessments to determine their audit plan, and InfoSec teams conduct their own risk assessments focusing on threats to the organization, such as cybersecurity breaches, data privacy, and third-party exposure. With a strong partnership between the CISO and the CAE, both groups can share information to make their respective assessments more robust. The CAE can incorporate the detailed analysis from the CISO to determine where auditors should spend their limited resources. On the other hand, the CAE can provide an enterprise-wide perspective to show the CISO how their areas of responsibility fit into the broader risk landscape. 

3. Perform control testing-related work

Building documentation that includes a process narrative and an RCM enables control design testing and operating effectiveness testing. Outside the typical audit process, CISOs and CAEs can collaborate on a testing plan covering high-risk areas while preserving audit’s independence and adding value to the CISO’s organization. For example, internal audit can provide consulting services to the CISO while steering clear of direct control design, the InfoSec team can perform their own testing with audit conducting independent test work, or internal audit can oversee the work done by a third party.   

4. Manage the information security issue remediation processes

Another area for collaboration is issue remediation. CISOs may or may not have access to project managers who can assist with issue tracking and remediation, but internal audit already has a well-established workflow that includes not only the identification and tracking of observations and action plans but also the validation that those action plans were implemented as agreed to and on a timely basis. To be more strategic with the limited resources that audit and infosec have, many InfoSec teams would benefit from allowing internal audit to consolidate information security’s issue management program. Additionally, having an independent party such as internal audit validate the implementation status of Information Security remediation plans can increase the reliability that the action plans were implemented as expected.  

A Natural Partnership

The relationship between InfoSec and internal audit is a natural partnership that can benefit the entire organization. CISOs should seize the opportunity to supplement their team’s domain expertise with internal audit’s mastery over risk and control testing. Likewise, CAEs should look for areas in InfoSec that present the highest risk and collaborate with the CISO on initiatives that involve both teams. The result combines the skills of both teams for an in-depth and insightful understanding of the processes, risks, and controls within the CISO’s domain. Considering the current sentiment of holding CISOs personally liable for risk exposures like cybersecurity breaches, right now is the perfect time for CAEs and CISOs to team up.  


Tom O’Reilly is the Field Chief Audit Executive and Connected Risk Advisor at AuditBoard. In his role, Tom meets, collaborates, and shares internal audit and connected risk strategies and tactics with the AuditBoard community and customers to help improve the practice of internal audit and how second and third line functions work together. Connect with Tom on LinkedIn.