I heard of a place where internal audit was told to do a comprehensive security of all aspects of an organization. All aspects.
How is that possible?
The IT organization is likely working at 110% with all their energy and effort to manage, monitor, invest and improve an organizations security so how can a short audit effectively grade how they are doing? Now I suppose that if the auditors were knowledgeable about security aspects and if there were huge gaps in what IT was doing then those would surface in the audit. But how could an audit detect deep matters in the enterprise in a short audit?
Further, how can an IT organization comprehensively know that all is in control? Further, how can a CIO assure a board that everything is under control?
They can only attest that they are doing all they know to do, they are vigilant and they are working to set the tone across the enterprise that all must work together to secure the organization.
They can only assure that they are doing all they know to do.
These are difficult times for CIOs.