Cybersecurity and Internal Audit: Building Trust in a Digital-First World
In today’s hyperconnected economy, I have observed that data has become currency and trust is everything. Organisations increasingly rely on digital systems for everything from customer transactions to supply chain operations. This convenience, however, comes with risk. Cyberattacks such as ransomware, phishing, and insider threats are growing in scale and sophistication.
This is where internal audit can be a critical partner in the cybersecurity ecosystem.
The Evolving Cybersecurity Landscape
Singapore’s increasingly digital economy faces complex and fast-changing cyber threats. The points below highlight key risk areas and regulatory requirements that make cybersecurity a critical enterprise-wide priority.
- Expanding Digital Footprint - Modern cyber risks have grown far beyond traditional firewalls and antivirus software. As organisations adopt cloud services, enable remote work, and use connected devices, from Internet of Things sensors to smart equipment, their digital footprint grows significantly. Artificial intelligence and automation, while increasing efficiency, also create new entry points for attackers who are constantly refining their tactics and tools.
- Key Vulnerabilities - Threat actors exploit weaknesses wherever they can find them. Weak access controls and identity management can open the door to unauthorised users. Third-party relationships, such as vendors, partners, or outsourced IT providers, often create indirect exposure when those partners fail to meet adequate security standards. Data governance is another frequent vulnerability; improper data retention, inadequate encryption, or poor classification practices can make sensitive information easy to steal or manipulate.
- Singapore’s Regulatory Landscape - Local regulations significantly raise the stakes. The Personal Data Protection Act sets strict requirements for the collection, use, and protection of personal data. The Cybersecurity Act provides a framework for safeguarding critical information infrastructure. The Monetary Authority of Singapore Technology Risk Management Guidelines impose rigorous standards on financial institutions. Together, these frameworks demand stronger governance, continuous monitoring, and demonstrable compliance, making cybersecurity not just an IT issue but a strategic priority that requires enterprise-wide attention and ongoing investment.
Internal Audit’s Role in Cybersecurity
From my experience, internal audit plays a vital role in strengthening an organisation’s cyber defences. Its responsibilities extend beyond checking compliance to fostering resilience and building trust across the enterprise.
- Independent Assurance and Resilience - Internal audit provides independent assurance that cyber risks are effectively managed, offering an objective view that complements the work of IT and security teams. Its value lies not only in detecting weaknesses but also in fostering a culture of resilience. By taking a holistic view of governance, processes, and controls, internal audit helps ensure that cybersecurity is treated as a continuous, enterprise-wide priority rather than a one-off project.
- Risk Assessment and Governance - Internal auditors evaluate how well cybersecurity risk is embedded within enterprise risk management and verify that boards and senior management maintain proper oversight of cybersecurity policies, strategies, and risk appetite. This includes reviewing whether leadership sets clear direction, allocates sufficient resources, and regularly monitors key cyber metrics.
- Controls Testing and Monitoring - Internal auditors assess the design and effectiveness of security controls such as patch management, identity and access management, and network segregation. They also test incident response readiness by reviewing playbooks and facilitating simulations or table-top exercises to identify gaps before an actual cyber incident occurs.
Best Practices for an Effective Cybersecurity Audit
Leading internal audit teams strengthen cybersecurity most effectively by embedding it into every stage of their work. Some key practices include:
- Risk-Based Approach - Focus on high-value assets such as customer data, intellectual property, and critical business processes. Prioritising areas with the greatest potential impact ensures resources address the most significant threats first.
- Continuous Auditing and Analytics - Use automated tools and data analytics to monitor anomalies in real time rather than relying solely on periodic reviews. This proactive stance enables early detection of suspicious activity and provides management with timely insights to prevent or contain incidents.
- Collaboration with IT and Security Teams - Open communication while maintaining independence is essential. Participating in joint threat modelling sessions can reveal blind spots early.
- Third-Party Risk Management - Evaluate vendors’ security posture and include supply chain audits in the annual audit plan to reduce risks arising from external partners and outsourced services.
- Training and Awareness - Internal audit professionals must stay up to date on emerging risks related to artificial intelligence, blockchain applications, and potential future threats from quantum computing. This ensures the team provides relevant and forward-looking assurance.
Strategic Benefits for Organisations
Integrating cybersecurity into internal audit delivers benefits that go well beyond basic compliance. It strengthens stakeholder confidence by providing independent assurance that cyber risks are being effectively managed. This proactive oversight reduces the likelihood of financial losses from breaches or system downtime, helping protect both revenue and reputation.
At the same time, it enables innovation by ensuring new digital products and services are launched securely, without exposing the organisation to unnecessary risk. Most importantly, it enhances overall resilience, allowing organisations to adapt quickly and stay protected against evolving cyber threats and increasingly rigorous regulatory scrutiny.
Looking Ahead
I believe cybersecurity is no longer just an IT concern - it’s a boardroom priority. In my work with internal audit teams, I have seen how proactive engagement with cyber risks strengthens trust, ensures regulatory compliance, and supports strategic growth. By combining technical understanding with independent oversight, internal auditors help organisations stay one step ahead in a rapidly changing threat landscape.
Bernard Tan has over 25 years of experience in financial services and consulting, with deep expertise in IT governance, cybersecurity, digital banking, business continuity management (BCM), and anti-money laundering audits. He is an elected board director of the ISACA Singapore Chapter and has served as a panel judge for the Singapore Cybersecurity Awards.
