[27 Jan 2017] Open with your browser  
Featured images

Cyber Security and Internal Audit

Written by: Ms. Maggie Chan - Risk Consultant

The Yahoo data breach is one of the major world-wide cyber attacks recently. Reports revealed that account information of at least 500 million Yahoo users were stolen in 2014 and more than 1 billion accounts were affected in 2013. Cyber attacks can bring both direct and indirect monetary loss and other damages to the corporate, its customers or any associate party.

It is no doubt that the defense frontline of internet security lies on the information technology department. However, the public has increasingly recognized the needs for setting up another measure for defense – the establishment of internal control system.

Global Perspectives and Insights issued by The Institute of Internal Auditors (“IIA”)
In the global survey (“the Survey”) conducted by IIA in 2016, more than 2,200 internal audit practitioners from 111 countries were asked about the auditing culture in the area of cybersecurity.

The Survey shows that 16% of the respondents’ organizations entirely relied on their own internal audit department to provide cybersecurity-related internal audit services, while 58% of them fully or partly outsourced such services to external providers. The remaining 25% of them had no cybersecurity-related internal audit services in their organization. The reasons for the lack of internal audit of cybersecurity were that they did not possess relevant skills, knowledge and tools. Some respondents also claimed that they were not supported by the executive management, the board and audit committee.

The internal audit department providing these cybersecurity audit services often helps to direct the organization’s attention to the critical risks and control issues regarding cybersecurity. To create a sound system, IIA suggested taking the steps as follows:

  • Understand technology-related risks and their possible impacts on the achievement of operational and strategic objectives
  • Leverage the organization’s technology investments to obtain the necessary tools for auditing cybersecurity and big data
  • Develop necessary internal audit competencies
  • Promote cooperation between technology and business operations
  • Provide comprehensive technology-related internal audit services, including participation in project management teams and provision of technology-related risk management and internal controls assurance to the board


With the increasing risks related to cybersecurity, it is expected that there will be increasing demand for internal control and the regulatory requirements will be stricter and more complicated. Outsourcing the cybersecurity-related internal audit is also a feasible choice for corporates with the consideration of costs, knowledge and tools maintained.

Issue 5, Global Perspectives and Insights: Emerging Trends Powered by Global Pulse of Internal Audit, The Institute of Internal Auditors, October 2016.

“Hackers Stole Data from More than 1 Billion Yahoo User Accounts”, CIO Today, 15 December 2016.


If there are any aspects which we may assist, please do not hesitate to contact:

Managing Partner - Mr. Roy Lo
roy.lo@shinewing.hk (Tel. 3583 8048) or

Senior Risk Manager - Ms. Gloria So
gloria.so@shinewing.hk (Tel. 3583 8517)


SHINEWING Risk Services Limited

Contact Us

SHINEWING Risk Services Limited
43/F., Lee Garden One, 33 Hysan Avenue Causeway Bay, Hong Kong,

T. (852) 3583 8000

F. (852) 3583 8532

W. www.shinewing.hk

E. risk@shinewing.hk


product image


SHINEWING Risk Services Limited is an industry leader with many years of experience in risk management and internal control review services in China and Hong Kong. SHINEWING has maintained its leadership position in the market over the years.

Headquartered in Beijing and with branch offices in Hong Kong, Singapore, Japan, Australia, Pakistan, Egypt, Shenzhen, Chengdu, Shanghai, Xi’an, Tianjin, Qingdao, Changsha, Changchun, Yinchuan, Jinan, Dalian, Kunming, Guangzhou, Fuzhou, Nanjing, Urumqi, Wuhan, Hangzhou, Taiyuan, Chongqing, Nanning and Hefei. SHINEWING is ideally positioned to provide services for our valued clients.


Copyright © 2017 SHINEWING Risk Services Limited. All rights reserved.

This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.


Home | Open in browser | Unsubscribe