The Institute of Internal Auditors Ghana successfully organised training in cyber security for its members and stakeholders as part of its efforts at deepening and augmenting the capabilities of industry players to deliver on their mandates effectively. The training was facilitated by e-Crime Bureau, one of the leading Ghanaian firms in cybersecurity consultancy and capacity building.
The cybersecurity landscape has experienced many changes in the global ecosystem over the past years with an increasing occurrence of cybersecurity incidents targeting IT systems of various sectors. The global stage has also seen a lot of positive developments, particularly in the area of cybersecurity technology, regional and international collaboration, national legislation and regulation and a significant growth of cybersecurity service providers and professionals to bridge the cybersecurity gaps regarding human resources.
Cybersecurity can have pervasive impacts on companies as organisations face numerous threats with varying consequences due to the rapid technological change. With technology advancing and the result of the COVID-19 pandemic which has caused the adoption of remote working arrangements, companies are facing new and evolving cybersecurity threats. Regulators, investors, and other stakeholders are increasingly interested in understanding and instituting adequate security measures to protect the global economy. The global average cost of a data breach, according to IBM, in 2023 was USD 4.45 million, a 15% increase over 3 years.
Ghana has seen significant developments with the coming into force of the Cyber Security Act 2020 (Act 1038) with its attendant institutionalisation of the Cyber Security Authority (CSA), which has led the effort to regulate the cybersecurity ecosystem in Ghana to ensure that institutions raise the level of compliance against local regulatory standards and international best practices.
Internal auditors are an essential category of professionals that play significant roles in cybersecurity compliance regimes within organisations. Traditionally, internal auditors focused on financial controls and compliance. However, the rise of cyber threats necessitates a paradigm shift. Today’s internal auditors need a deeper understanding of cybersecurity to fulfil their responsibilities effectively. Cybersecurity risks are complex and often intertwined with financial and operational processes. Cybersecurity has increasingly become a critical business risk management intervention for organisations due to the dynamic IT landscape and the rising dependency on IT systems and processes. According to the Global Risk in Focus 2023 Report, a comprehensive survey of internal audit leaders worldwide, 82% identified cybersecurity as the top risk impacting organisations.
They generally provide independent or internal reviews of security controls and information systems, test the safety and effectiveness of individual components of cybersecurity defences and analyse/investigate any recent breaches or security concerns. They also ensure that the cybersecurity audits are adequately executed and adhere to the implementation of appropriate cybersecurity frameworks.
The Institute of Internal Auditors, Ghana (IIA) and e-Crime Bureau have, over the past eight (8) years, collaborated to build capacity for over 680 internal auditors with scheduled training programmes in the areas of cybersecurity, digital forensics, IT audit, amongst others based on needs assessments conducted to establish existing capacity building gaps and new developments within the information technology ecosystem. The first training programme for internal auditors for 2024 was on Contemporary Cybersecurity Essentials for Internal Auditors. The programme came off from March 25 – 27, 2024, at the Sunlodge Hotel, Tesano Accra, with about 75 participants from both public and private sector institutions in attendance.
A group presentation on a case study being delivered by participants
The focus and goals of the training included deepening understanding of emerging cyber-security threats affecting organisations, increasing expertise in cyber-security fraud risks and their impact, and equipping internal auditors to master appropriate digital forensics techniques required for conducting audit procedures. Others included the identification of root causes of electronic fraud within organisations, providing skills for evaluating the adequacy and monitoring of the effectiveness of existing cyber-security controls within organisations, and, according to practitioners, an opportunity to leverage digital forensics tools and procedures to detect potential fraudulent financial activities.
At the end of the programme, participants demonstrated in-depth knowledge of assessing the cybersecurity measures put in place to safeguard Critical Information Infrastructures (CII) and ensure compliance with industry-specific standards. They also evaluated various strategies for auditing and mitigating supply chain risks, such as vendor risk assessments and due diligence, as it has emerged that cybersecurity incidents often originate from vulnerabilities within the supply chain systems and poor vendor/third-party management protocols.
Overall, the programme sought to ensure that the technical, cyber risk management, and response capacities of auditors to identify, detect, acquire evidence, and investigate cybersecurity-related incidents that affect IT environments and directly impact operations and audit activities of organisations are greatly enhanced.
Based on the in-training assessments, the beneficiaries have been well-equipped to navigate the dynamic cybersecurity landscape, address industry and organisation-specific challenges, and contribute to the overall resilience of organisations in the face of evolving adaptation to technology and its attendant cyber threats.
At the end of the training programme, participants expressed their appreciation to the Institute of Internal Auditors (IIA) Ghana for its leadership’s foresight in engaging and equipping audit professionals year-on-year on the important subject of cyber and information security to ensure that they can navigate audit responsibilities within complex IT facilitated corporate environments.
At the programme’s closing ceremony, the President of the Institute of Internal Auditors, Ghana (IIA), Mr. Joseph Dakora Zumasigee, opined on the importance of internal auditors prioritising their advisory responsibilities to their organisations. He challenged them to justify the training cost by demonstrating the new skills they gained.
The e-Crime Bureau and the IIA, Ghana collaboration seeks to extend other innovative programmes in the areas of cybersecurity, digital forensic investigations, and audit to internal audits in other selected regions in Ghana within the rest of 2024 and beyond to ensure that the role and value of internal auditors in strengthening the cyber resilience of institutions is firmly situated within institutions.