David Gonzalez is an audit expert with Ncontracts with more than 20 years of experience in the industry. From compliance officer to internal auditor to risk officer, he has spent his career evaluating the effectiveness of risk management and compliance programs and working to improve them.
Today, David applies his knowledge to develop Ncontracts solutions, including building out our model content library for our Nverify audit management solution to include model audits, model compliance reviews and control testing.
In this Q&A, David shares his insights into IT audits and cybersecurity, including advice on how an auditor who isn’t a technology SME can effectively audit IT.
Q: What’s the goal of an IT audit?
David: We want to understand how a cybersecurity program and framework are established, how it's tested, and how continuous monitoring is conducted. We want to ensure that the cybersecurity framework is deeply embedded within any business continuity management plans or any risk assessments to see that they align, and one doesn’t get updated without the other.
Q: Reg Y requires entities to report cyberattacks within 36 hours. What role does audit play in that?
A: There should be an audit ensuring that the institution responded within the required 36-hour timeframe.
If the FI didn’t respond within the timeframe, there should be a clear justification and documentation. For example, maybe the FI wasn’t sure it was a cyberattack at first and was conducting an internal investigation.
You need that documented somewhere just so if the regulators come in and they say, “This is 48 hours, not 36, what took you so long?,” you have appropriate documentation and can explain what happened. Show that you secured your data and wanted to be able to accurately report what happened – whether it was a single attack or conjoined multiple attacks. You want to give the regulators the whole picture.
Q: Is it hard to audit an area like IT if you’re not an IT expert?
A: It can be intimidating because it is an-ever changing environment and it's more and more technical. Unless you're an IT specific auditor or have an IT background that can understand the documents IT sends, you’ll need IT to present it in a digestible format to understand what's going on.
That’s why I start out by collaborating with IT, developing relationships with individuals early on so there’s trust and confidence that you’re both working towards the same goal of improving the environment within the organization.
You need to make it clear that it’s not a game of “got you” and you’re not going to turn everything IT tells you into an audit finding. It’s asking how do we cover this base and listening when they explain how. You want to create a collaborative environment and work with them even when you aren’t performing an audit.
Q: What can smaller institutions do to conduct cybersecurity audits when they have just one IT person and that person is extremely busy?
A: Again, it’s all about collaboration. We all wear multiple hats, whether it's a large institution or small institution, so you need to think creatively.
A smaller institution may have IT personnel at different branches, and one of them might be able to help. Maybe you can bring in an outside resource. If you’ve outsourced IT, you can include in your vendor agreement that they’ll help explain your controls, so you’ll better understand how to test them.
Q: Are cybersecurity audits purely technical or are there common controls auditors can look at?
A: While some small sections of cybersecurity audits are very technical, many controls are common ones any auditor could examine. These include things like segregation of duties, approval processes, change management, and access controls. Focus on controls preventing someone from unilaterally turning things off or pushing through changes without proper testing and approvals. The technical IT pieces can be handled by IT audit specialists.
Related: Six Common IT Exam Issues—and the Controls You Need to Address Them
Q: What types of cybersecurity frameworks does your company use for audits?
A: We use several cybersecurity frameworks including NIST at low, moderate and high levels. We're also planning to implement CSA STAR for cloud-based organizations later this year, and the MITRE ATTACK framework next year. While parts are technical, many controls are common ones you'd see in non-IT audits too.
Q: How can auditors leverage artificial intelligence to be more efficient and comprehensive?
A: AI and bots can allow auditors to examine much larger populations of data. For example, instead of just sampling a percentage of clients in a Bank Secrecy Act (BSA) audit, we partnered with IT to use bots to check 4-5 key data points for all 300,000 clients - things like having a U.S. address, SSN, phone number, and complete information. An individual auditor couldn't manually review that many records in an audit timeframe.
Related: AI and Risk Management Controls: How to Protect Your Institution
Q: What challenges do you foresee with auditing AI systems?
A: Auditing the algorithms and behaviors of AI to check for issues like bias, improper influence on users, or incorrect rejection of applications can get very technical and complicated. You want to ensure AI is learning good behaviors from quality data. This is difficult with black box algorithms and generative AI that continuously evolves. Specialized expertise may be required.
What do you do with IT audit findings?
Download our whitepaper "Best Practices for Tracking Audit & Exam Findings."