Stakeholders in the C-suite and boardroom, and throughout the organization, rely on their internal audit functions to provide assurance- and compliance-related activities. But increasingly these contributions represent just the tip of the iceberg. Amid ongoing business transformation, internal audit is monitoring cybersecurity risks lurking just beneath the surface, while also focusing on emerging technologies and the organization’s long-term strategy. For more information, visit Protiviti.com/IASurvey. © 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. Arriving at Internal Audit’s Tipping Point Amid Business Transformation Top 10 Internal Audit Priorities for 2016* 1. ISO 27000 (information security) 2. Mobile applications 3. NIST Cybersecurity Framework 4. GTAG 16 – Data Analysis Technologies 5. Internet of Things 6. Agile risk and compliance 7. ISO 14000 (environmental management) 8. Data analysis tools – statistical analysis 9. Country-specific ERM framework 10. Big data/business intelligence Top 10 Priorities for CAEs in 2016 1. Big data/business intelligence 2. ISO 31000 (risk management) 3. ISO 9000 (quality management and quality assurance) 4. GTAG 17 – Auditing IT Governance 5. Continuous monitoring 6. Auditing corporate culture 7. Marketing internal audit internally 8. Quality assurance and improvement program 9. Fraud – management/prevention 10. Auditing IT – continuity Percentage of companies that have received inquiries from customers, clients or insurance providers about the organization’s state of cybersecurity Percentage of organizations, by level of board engagement in information security risks, in which there are specific areas of cybersecurity risk that are not addressed sufficiently due to lack of software tools: High level of board engagement Lower level of board engagement Organizations evaluating and auditing cybersecurity risk as part of their audit plan: 2016 73% 2015 53% Organizations with a cybersecurity risk strategy and policy in place Strategy 88% 59% Policy 83% 53% Cybersecurity Part of Audit Plan Cybersecurity Not Part of Audit Plan * Overall survey response