IIA Malaysia
April 2017
CBOK: Stakeholders Advice to the Chief Audit
Executive
This Global Internal Audit Common Body of Knowledge
(CBOK) Stakeholders report offers key insights into
what audit committees (ACs) and management look for
in heads of audit.
According to the survey of over 1,100 board members,
Chief Executive Officers (CEOs) and Chief Financial
Officers (CFOs) from 23 countries, they want chief
audit executives (CAEs) who exhibit strong business
acumen, have demonstrated leadership skills and can
manage competing priorities, as well as influence
organisational culture, as summarised below:
1. Exhibit strong business acumen, including
knowledge of the industry, the ability to under-
stand business strategy, and the insight to
understand and assess risks.
2. Demonstrate leadership skills, technical
competence, innovation, and relational
competence with audit staff and stakeholders.
3. Manage competing priorities, demands, and
conflicts within the organisation, including
communication with all areas of the organisation
with objectivity and integrity.
4. Seek to influence the culture of the organisation.
Modeling right behaviour and thinking, inspiring
discussion, and acting as a change agent is crucial
to helping improve organisational culture.
Action items for a CAE to gain business acumen:
Identify the essentials to the success of
organisation - its industry, the external
environment, the chosen strategies and business,
and the risks related to those strategies and
business.
Assess level of business acumen based on the
essentials identified. If necessary, develop a plan
to spend the time and effort with those in the
organisation who can help the CAE think more like
a business leader.
Engage with stakeholders as a business leader, not
a technical auditor. Address issues from their point
of view, communicating with them using language
that they understand.
Action items for a CAE to develop essential capabilities:
Perform a self-assessment of capabilities against
those expected by stakeholders.
Solicit input from stakeholders on performance in
the CAE role; ask them to identify the areas in
which the CAE should improve.
e-techline
Issue 02/17
Document a clear development plan to address
the most important gaps in capabilities.
Discuss with executive management and board
members the self-assessment findings and the
development plans. Solicit approval and consent.
Seek out a mentor (internal or external) who is in
a senior leadership position.
Action items for a CAE to balance competing priorities:
Develop strong relationships with stakeholders of
all types and levels.
Do not hesitate to take positions when they are
needed.
Stay grounded in professional obligations.
Build excellent interpersonal skills to be ready for
use when they are critical.
Action items for a CAE to promote change in
organisational culture:
Discuss with stakeholders the culture desired for
the organisation to help ensure the desired
culture is defined and agreed-upon.
Assess the culture of the internal audit (IA)
function to ensure it models the culture desired
for the entire organisation.
Embrace the role of educator and change agent,
each of which gives the ability to the CAE to
improve the organisations culture.
Confirm with stakeholders that IA is viewed not
only as an enforcer of rules, but also as a valued
contributor to the improvement of the
organisation and its culture.
Conclusion
The role of the CAE is challenging it requires
competencies, motives, skills, and specific levels
of integrity not often required of other executive
roles.
A unique feature of the CAE role is the reporting
structure and the multitude of stakeholders whom
they serve. It is important that the reporting
structure include measures that will reduce any
adverse impact on the independence and the
objectivity of the CAE.
The advice in this report comes from a large group
of global stakeholders. Each CAE should engage
with their own stakeholders to explore where they
excel and where they can improve to bring value
to the role and to the organisation.
Reference:
http://theiia.mkt5790.com/CBOK_2015_Stakeholder_Advic
e_CAE
1
IIA Malaysia e-techline
April 2017 Issue 02/17

The Security Intelligence Center - Next Steps: Slightly over 50% of respondents reported that
Beyond Response to Anticipation their organisations use threat intelligence and
Joint research by Internal Audit Foundation and analytics tools, while nearly 65% said that they use
event collection tools (Exhibit 3).
Crowe Horwath
These responses suggest that organisations have
As cyberattacks grow in frequency, severity, and begun to implement the functions associated with
a SOC even if they have not yet taken the steps to
complexity, cybersecurity professionals are urging
establish a formal center.
organisations to move beyond a defensive and reactive
approach to a more proactive approach, allowing for
the prediction and anticipation of cybersecurity
threats.

A Quick Poll survey of 130 CAEs in North America was

conducted to ask specific questions about the use of
security operations centers (SOCs) as part of
cybersecurity strategies. The survey results also suggest
that some conclusions can be drawn about CAEs
general levels of involvement in monitoring and
reviewing their SOC operations.

This report is intended to help cybersecurity

professionals, CAEs, and other stakeholders to explore
broader issues and to answer two questions:
1. How can organisations move beyond merely
reacting and responding to cybersecurity incidents
and instead start to identify, anticipate, and actively
defend against known and emerging threats?
2. What role can CAEs play in encouraging and
facilitating this shift from a reactive to a proactive
stance?
The Current State: Security Operations Centers and
the Use of Intelligence Tools
SOC Usage and Characteristics
While a number of organisations have established
formal SOCs to help manage cybersecurity risk,
there are still significant opportunities for audit
executives to become more actively engaged in this
area. 35% of respondents said that their
organisations had already established a formal
SOC; another 10% were considering it (Exhibit 1).
Speaking in general terms, the survey suggests that
SOCs tend to be moderately sized departments
within the larger information security functions.
About 4 out of 10 organisations reported 5 or fewer
full-time equivalent employees (FTEs) attached to
their SOCs (Exhibit 2).
Cybersecurity Tool Use
CAEs were asked about their use of the 3 general
types of cybersecurity tools: threat-intelligence
gathering tools, event collection tools, and
analytics tools.

2
IIA Malaysia
April 2017
The Role of Internal Audit (IA)
The survey responses suggest a number of areas in
which IA have opportunities to improve and
increase their contribution in this area, particularly
in helping to pave the way for the establishment of
a SOC or in elevating a SOC to a Security
Intelligence Centre (SIC).
IAs role in cybersecurity can be considered within
the context of the broad data security functions
outlined in the organisations cybersecurity
framework. As the third line of defence, IA is
responsible for providing senior management and
the board with independent assurance that
needed activities are being performed by the first
two lines of defence: 1) the lines of business; and
2) the risk management team.
Some areas where IA can provide assurance are:
Pursue specific steps that relate to their
entities SOC and general security operations.
Many of these are closely related to the
actions recommended in the Internal Audit
Foundation Core Report, Navigating
Technologys Top 10 Risks: Internal Audits
Role.
http://theiia.mkt5790.com/Navigating_Technology
s_Top_10_Risks
Help the organisation advance toward the
establishment of a mature SIC by verifying that
cybersecurity intelligence tools are up-to-
date, with current patches and upgrades
installed. IA can also review the training and
credentials of SOC analysts to confirm up-to-
date qualifications.
Review the overall level of information
security awareness and preparedness, and
elevating that awareness organisation-wide.
One of the most effective ways to do this is by
advocating for effective cybersecurity
awareness training.
The Global Technology Audit Guide (GTAG) 17:
Auditing IT Governance, offers extensive
additional information to IA to fulfill their
responsibilities in providing assurance and
consulting services for IT governance.
https://global.theiia.org/standards-
guidance/recommended-guidance/practice-
guides/Pages/GTAG17.aspx
Reference:
http://theiia.mkt5790.com/Cybersecurity
e-techline
Issue 02/17
Tone at the Top February 2017
This issue covers the disclosure about compensation
paid to CEOs, CFOs and other high-ranking executive
officers of public companies. While such disclosure
provides transparency into this sensitive topic, it also
raises concern among shareholders and employees
when the CEO receives excessive compensation
although the companys performance is down.
Such concerns create risks to the enterprise and
highlights the need for internal audit to assess
executive compensation packages.
Reference:
https://global.theiia.org/knowledge/Public%20Documents/
2017-Feb-TaT.pdf
KPMG 2017 Global Audit Committee Pulse
Survey
Is Everything under Control: Audit Committee
Challenges and Priorities
This global survey, conducted between August to
October 2016, offers insights that ACs worldwide can
use to benchmark its responsibilities and practices,
and strengthen its oversight.
The survey identifies six key areas of priorities for ACs,
as below:
1. Risk management is a top concern for ACs.
2. Internal audit can maximise its value to the
organisation by focusing on key areas of risk and
the adequacy of the companys risk management
processes generally.
3. Tone at the top, culture and short-termism are
major challenges and may need more attention.
4. CFO succession planning and bench strength in the
finance organisation continue to be weak spots.
5. Two key financial reporting issues may need a
more prominent place on AC agendas:
Implementation of new accounting standards and
non-GAAP financial measures.
6. AC effectiveness hinges on understanding the
business.
Reference:
https://home.kpmg.com/content/dam/kpmg/xx/pdf/2017/
01/2017-global-audit-committee-pulse-survey-global-non-
interactive.pdf