Session Description:
Too many Internal Audit plans include a single word—“Cybersecurity”—as a catch-all for a broad, complex landscape of technology risks. But cybersecurity isn’t a single audit. It’s a collection of interconnected domains—identity & access management (IAM) capabilities, third-party risk, cloud security, data privacy & processes - vulnerability management, incident response, user access provisioning, & more—each with its own risk profile, controls, & stakeholders.
In this session, IT audit executive David Malcom will guide Internal Audit leaders on conducting an effective IT risk assessment focused on cybersecurity, aimed at creating a targeted 2026 audit plan. Specifically designed for CAEs & Internal Audit Directors, it will cover frameworks to use, evaluating & scoring IT risk attributes, stakeholder involvement, & transitioning from a generic “cyber audit” to a customized cybersecurity audit universe that aligns with your organization’s priorities & risks
The session will show you how to present IT risk assessment results that strengthens executive alignment & equips you to propose a more relevant & risk-informed Internal Audit plan for 2026.
Learning Objectives:
By the end of this webinar, participants will be able to:

-Describe the structure & purpose of an IT risk assessment within Internal Audit’s annual planning cycle.
-Identify commonly used IT risk frameworks & attributes to guide assessment & prioritization (e.g., NIST, COBIT, ISO, FAIR).
-Differentiate between broad risk categories (e.g., cybersecurity) & the specific IT domains or processes they encompass.
-Determine the appropriate stakeholders—across IT, security, risk, & the business—to engage in the IT risk assessment process.
-Apply a methodology for scoring & prioritizing IT risks based on impact, likelihood, & audit readiness.
-Develop communication strategies for presenting IT risk assessment results in a way that promotes executive alignment & partnership with Internal Audit