It happens so often, its almost not worth my time writing about it.
Grant Thornton, like the other external audit firms, provides internal audit services as well. To promote them, they offer advice on matters such as how to perform audits of an organization’s cybersecurity measures and practices.
This week, they published It’s time to upgrade cybersecurity internal audits.
They do share a useful chart on the average cost of a data breach in the US. However, they fail to point out that at $9.44 million, it shouldn’t represent a serious risk to the achievement of an organization’s objectives, let alone its survival. Yes, its rising (a little) every year. But how much return on investment would an organization obtain from further investments in cybersecurity?
Is cyber really a top-ten risk?
In order to know, every organization needs to conduct and continuously (or close to it) update its cyber risk assessment – within the context of the enterprise risk management program so it can be compared to other sources of business risk.
Like so many other misguided consultants, Grant Thornton looks to internal audit to perform the risk assessment.
When will people get it?
ASSESSING RISK AND UPDATING THE ASSESSMENT WHEN IT CHANGES IS A MANAGEMENT RESPONSIBILITY[1]!
The role of internal audit is to assess whether…
