The relationship between internal auditor’s role and cybersecurity in Malaysia

Information technology (IT) is rapidly being integrated into various fields, particularly finance. Although IT helps run daily operations quickly, effectively, and competitively but the transformation has exposed businesses and companies to the risk of cyberattacks such as data theft, software corruption and disruption of business operations. The Institute of Internal Auditors (IIA) has launched the Three Lines Model which has proven effective in mitigating cybersecurity risks through the first and second lines of defense. Nonetheless, the specific role of internal auditors as the third line of defense in preventing cyberattacks in Malaysia remains unclear and requires further clarification. Therefore, the objectives of this study are to (i) examine the relationship between the internal auditor’s role and the internal audit principles in providing assurance to the organization’s cybersecurity, (ii) examine the relationship between the internal auditor’s role and cybersecurity of the organization’s governance, risk, and control and (iii) examine the relationship between internal auditor’s role and the competency to assess and mitigate cybersecurity risk. A total of seven participants with diverse backgrounds in the industry were interviewed using openended questions. The study revealed a positive correlation between the role of internal auditors and the internal audit principles in providing cybersecurity assurance to the organizations. Furthermore, there is a significant relationship between the internal auditor’s role and the cybersecurity of the organization’s governance, risk, and control. Additionally, the study found a positive relationship between the internal auditor’s role and their ability to assess and mitigate cybersecurity risk. These findings provide valuable insight into the contributions of internal auditors towards cybersecurity in Malaysia.