Article
Public sector internal auditors most concerned by cybersecurity, data and talent risks
June 7, 2022
Public sector internal audit outlook
Internal audit functions across the public sector are under pressure due to emerging risks, diminishing resources and staffing challenges to fulfill the function, according to a Baker Tilly survey of public sector internal audit professionals. Cybersecurity (including data issues such as governance, privacy and security) and talent management are cited as main concerns. The types of organizations surveyed included state and local governments, school districts, special districts and public utilities.
- 60% of organizations that participated serve more than 250,000 individuals (including federal and state agencies)
- More than 90% of survey respondents stated their audit plans aligned well or somewhat well to the risk landscape the organization faces
- 45% stated the audit plan aligned very well with their identified risks
Respondents to the Baker Tilly survey noted one area not adequately addressed by their current audit plan was organizational culture. While “culture” has never been a strong priority for government entities, the pressure to do more with less in recent years has made it harder for organizational leaders to expect more from their internal audit function than the usual auditing of accounting, finance, operations, human resources and information technology.
Cybersecurity and data
Challenges
Examples of cybersecurity issues that concern public sector internal auditors include ransomware, phishing and hacking. All of these can interfere with an organization’s ability to function for its constituents and put it at risk of using public funds to pay hackers. Local governmental bodies and agencies receive vast quantities of heavily regulated personal and other sensitive data, from both employees and constituents, including personal identifiable information (PII) such as social security numbers, personal health information protected by HIPAA and credit or bank card information protected by the Payment Card Industry Data Security Standard (PCIDSS). Security surrounding data is a significant risk, as public bodies are targets for data breaches and ransomware. The risks for a public sector organization related to data breaches are many. The organization could be held liable for a data breach incident and face additional costs, such as providing identity protection services to anyone affected by the breach. Organizations also face reputational damage and a loss of trust if they do not properly protect the data they store.