Internal Audit Strategies for Assessing Cybersecurity Controls in the Brazilian Financial Institutions
Abstract
1. Introduction
2. Related Work
3. Background
3.1. Cyber Risk Managment
3.2. Three Lines Model
3.3. Financial Regulation
3.4. International Regulations
3.5. Cyber Resilience in the Financial Sector
3.6. Techniques for Auditing Cybersecurity
4. Methodology
4.1. Sample of Interviewees
4.2. Interviews and Script
4.3. Data Collection
4.4. Data Analysis
5. Results
5.1. Depth of Assessments Carried out by Internal Audit
5.2. Penetration Tests (Internal or External)
5.3. Process Management
5.4. Joint Assessments and Testing
5.5. Continuous Auditing Based on Advanced Data Analytics
5.6. Continuous Security Monitoring Strategy and Integration of Advanced Technologies
5.7. Threat Intelligence and Trend Analysis
5.8. Security Reports and Dashboards
5.9. Metrics and Use of Indicators
- Security Incident Rate in a specific period.
- Mean Time to Detect (MTTD) and Mean Time to Respond or Recover (MTTR) of security incidents.
- Percentage of vulnerability fixes on and off schedule.
- False Positive and Negative Rate generated by solutions.
- Level of awareness and participation rate in security training.
- Effectiveness of Business Continuity Plans and Attack Simulation Response Plans.
5.10. Frameworks and Good Practices
- Strategic Decision-Making and Resource Allocation—The visibility provided by clear reports and dashboards enables managers to assess the cybersecurity landscape, facilitating data-driven decision-making accurately. The availability of strategic intelligence supports efficient resource allocation, directing investments to high-risk areas while avoiding waste. Additionally, identifying improvement areas through objective metrics allows for continuous adjustments, aligning security measures with organizational goals.
- Proactive Risk and Vulnerability Management—The ability to identify vulnerabilities and prioritize mitigation actions is essential for an effective defensive posture. Combined with trend analysis, which anticipates emerging threats, organizations can take preventive measures before risks materialize. Rapid response to indicators ensures that changes in the security environment are addressed swiftly, reducing potential impacts. Comprehensive risk mapping guarantees that no critical threats are overlooked.
- Continuous Monitoring and Evaluation—Real-time KPIs and KRIs enable ongoing monitoring of security postures, facilitating early detection of anomalies. Periodic evaluation of implemented policies and controls helps measure their effectiveness, ensuring they fulfill their intended purposes. Furthermore, performance analysis of security controls verifies their alignment with organizational needs.
- Resilience and Process Validation—Organizations enhance their ability to withstand and recover from cyber incidents, strengthening overall resilience. Penetration testing and other process validation methods verify the efficiency of vulnerability assessments, patch management, and incident response, ensuring readiness for real-world scenarios.
- Operational Efficiency and Standardization—Optimized security processes lead to productivity gains and reduced rework, fostering lasting structural improvements. Standardized methodologies ensure consistent risk assessments, while streamlined audits improve execution efficiency. Clearly defined security controls eliminate ambiguity and promote best practices.
- Technical Capability Development and Independence—Knowledge transfer between specialists and internal teams enhances technical skills, empowering organizations to address security challenges. Audit independence ensures unbiased risk assessments, which are free from internal biases and contribute to a more objective perspective.
- Transparency and Communication—Transparent reporting and relevant metrics improve communication with stakeholders, both internal and external. This builds trust in security management and ensures alignment on risks and protective measures.
- Governance and Independence—Challenges in this category are directly tied to organizational structure and the preservation of audit impartiality. The absence or ineffectiveness of the second line of defense (risk management and compliance) overburdens internal audit, exposing it to pressure from the first line (operations). Additionally, consulting activities performed by internal audit may compromise its independence if the team becomes too involved in the processes it is meant to evaluate. Another critical issue is cross-departmental alignment, as teams like IT, cybersecurity, and audit often have differing objectives and terminology, hindering effective collaboration. Finally, having the audit team conduct penetration tests can create conflicts of interest, requiring rigorous documentation of methods to preserve objectivity.
- Technical and Operational Capability—Technical complexity is one of the biggest hurdles for modern auditing. Integrating data from disparate sources is time-consuming and resource-intensive, while managing large volumes of information demands specialized tools and skills. Data quality is another concern, as unreliable or inconsistent sources can lead to flawed analyses. Furthermore, maintaining dashboards and reports requires significant effort, especially in environments with legacy systems or fragmented infrastructure.
- Metrics and Indicators—Defining and interpreting relevant metrics remains a persistent challenge. Many organizations struggle to identify key performance indicators (KPIs) aligned with their strategic risks and objectives, often collecting data that fails to yield actionable insights. Even when metrics are well-defined, their interpretation requires specialized expertise, and superficial analysis can lead to incorrect conclusions, impacting decision-making.
- Human Resources and Skills Development—The shortage of qualified talent and the need for continuous upskilling present critical challenges. Relying on external specialists for security testing and other technical tasks not only increases costs but also creates knowledge gaps. Furthermore, the lack of professionals skilled in cybersecurity, data analysis, and governance hinders the audit function’s capacity to adopt advanced practices such as Red Team exercises. The ongoing demand for training further strains budgets and necessitates a structured career development plan.
- Financial and Infrastructure Constraints—Limited budgets directly affect audit effectiveness. Implementing continuous monitoring tools and security frameworks requires significant licenses, infrastructure, and training investments. Many organizations struggle to justify these costs, especially when tangible returns are not immediate. Moreover, hiring specialized services, such as penetration testing and framework consulting, may become unfeasible under financial constraints.
- Framework Implementation and Maintenance—Adopting frameworks like NIST, ISO 27001, or COBIT is essential but fraught with obstacles. Customizing them to the organization’s context demands time and expertise, while implementation complexity requires experienced teams. The high upfront deployment costs and the need for ongoing training to maintain updated frameworks pose additional barriers. Without a clear strategy, these initiatives risk becoming never-ending projects that fail to deliver the expected value.
6. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Acknowledgments
Conflicts of Interest
Abbreviations
AI | Artificial Intelligence |
BACEN | Banco Central do Brasil |
C2M2 | Cybersecurity Capability Maturity Model |
CIS | Center for Internet Security |
CMN | National Monetary Council |
COBIT | Control Objectives for Information and Related Technologies |
CRM | Cyber Risk Management |
CSF | Cybersecurity Framework |
IDS | Intrusion Detection System |
IEC | International Electrotechnical Commission |
IIA | The Institute of Internal Auditors |
IPS | Intrusion Prevention System |
ISO | International Organization for Standardization |
IT | Information Technology |
KPI | Key Performance Indicator |
KRI | Key Risk Indicator |
MTTD | Mean Time to Detect |
MTTR | Mean Time to Repair |
NIST | National Institute of Standards and Technology |
Pentest | Penetration Testing |
SFN | National Financial System |
SIEM | Security Information and Event Management |
SWIFT | Society for Worldwide Interbank Financial Telecommunication |
UEBA | User and Entity Behavior Analytics |
References
- Cremer, F.; Sheehan, B.; Fortmann, M.; Kia, A.; Mullins, M.; Murphy, F.; Materne, S. Cyber risk and cybersecurity: A systematic review of data availability. Geneva Pap. Risk Insur. Issues Pract. 2022, 47, 698–736. [Google Scholar] [CrossRef]
- McShane, M.; Eling, M.; Nguyen, T. Cyber risk management: History and future research directions. Risk Manag. Insur. Rev. 2021, 31, 701–728. [Google Scholar]
- Rosati, P.; Gogolin, F.; Lynn, T. Cyber-Security Incidents and Audit Quality. Eur. Account. Rev. 2017, 31, 701–728. [Google Scholar] [CrossRef]
- PWC PriceWaterhouseCoopers. Global Digital Trust Insights 2023, A C-Suite United On Cyber-Ready Futures; PWC PriceWaterhouseCoopers: Adelaide, Australia, 2024. [Google Scholar]
- Benz, M.; Chatterjee, D. Calculated risk? A cybersecurity evaluation tool for SMEs. Bus. Horizons 2020, 63, 531–540. [Google Scholar] [CrossRef]
- VERIZON Verizon Business. 2021 Data Breach Investigations Report; VERIZON Verizon Business: Basking Ridge, NJ, USA, 2021. [Google Scholar]
- IBM International Business Machines. Cost of A Data Breach Report 2023; IBM International Business Machines: Armonk, NY, USA, 2023. [Google Scholar]
- Tripathi, M.; Mukhopadhyay, A. Does privacy breach affect firm performance? An analysis incorporating event-induced changes and event clustering. Inf. Manag. 2022, 59, 24. [Google Scholar] [CrossRef]
- ISO/IEC 27001:2022; Information Technology—Security Techniques—Information Security Management Systems—Requirements. ISO/IEC International Organization for Standardization/International Electrotechnical Commission: Geneva, Switzerland, 2022.
- Resolution CMN No. 4,968; On Internal Control Systems of Financial Institutions. Brazilian National Monetary Council: Brasília, Brazil, 2021.
- Bantleon, U.; D’Arcy, A.; Eulerich, M.; Hucke, A.; Pedell, B.; Ratzinger-Sakel, N. Coordination Challenges in Implementing the Three Lines of Defense Model. Corp. Governance Intern. Gov. 2021, 25, 59–74. [Google Scholar] [CrossRef]
- Afrifah, W.; Epiphaniou, G.; Ersotelos, N.; Maple, C. Barriers and Opportunities In Cyber Risk And Compliance Management For Data-Driven Supply Chains. In Proceedings of the 55th Hawaii International Conference on System Sciences (HICSS 2022), Virtual Event, 4–7 January 2022; ScholarSpace, University of Hawai‘i at Mānoa: Honolulu, HI, USA, 2022. [Google Scholar]
- Chen, Y.; Galletta, D.; Lowry, P.; Luo, X.; Moody, G.; Willison, R. Understanding Inconsistent Employee Compliance with Information Security Policies Through the Lens of the Extended Parallel Process Model. Inf. Syst. Res. 2021, 32, 1043–1065. [Google Scholar] [CrossRef]
- Eulerich, A.; Eulerich, M. What Is the Value of Internal Auditing?—A Literature Review on Qualitative and Quantitative Perspectives. Corp. Governance Actors Play. J. 2020, 94, 83–92. [Google Scholar] [CrossRef]
- Carcello, J.; Eulerich, M.; Masli, A.; Wood, D. Are Internal Audits Associated with Reductions in Perceived Risk? Audit. J. Pract. Theory 2020, 39, 55–73. [Google Scholar] [CrossRef]
- Lois, P.; Drogalas, G.; Karagiorgos, A.; Thrassou, A.; Vrontis, D. Internal auditing and cyber security: Audit role and procedural contribution. Int. J. Manag. Financ. Account. 2021, 13, 25–47. [Google Scholar] [CrossRef]
- Kahyaoglu, S.; Çalıyurt, K. Cyber security assurance process from the internal audit perspective. Manag. Audit. J. 2018, 33, 360–376. [Google Scholar] [CrossRef]
- Georg, M.A.C.; Rodrigues, W.M.S.; Alves, C.A.D.M.; Silveira Júnior, A.; Nunes, R.R. Os desafios da Segurança Cibernética no setor público federal do Brasil: Estudo sob a ótica de gestores de tecnologia da informação. RISTI 2023, E54, 602–616. [Google Scholar]
- Alves, R.S.; Georg, M.A.C.; de Sousa, R.T.; Nunes, R.R. Judiciário sob ataque hacker: Riscos de negócio para segurança cibernética em tribunais brasileiros. RISTI 2023, E56, 344–357. [Google Scholar]
- Alves, R.S.; Queiroz, C.E.M.; Nunes, R.R. Os Tribunais têm Estrutura Para Gerenciar Riscos de Segurança da Informação? Um estudo à luz das Três Linhas. Revista CEJ 2024, 27, 145–160. [Google Scholar]
- Walker, P.; Shenkir, W. Enterprise Risk Management: Frameworks, Elements, and Integration. Risk Manag. J. 2018, 33, 36–42. [Google Scholar]
- Chong, W.; Feng, R.; Hu, H.; Zhang, L. Cyber Risk Assessment for Capital Management. arXiv 2022, arXiv:2205.08435. [Google Scholar] [CrossRef]
- Alahmari, A.; Duncan, B. Cybersecurity Risk Management in Small and Medium-Sized Enterprises: A Systematic Review of Recent Evidence. In Proceedings of the 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), Dublin, Ireland, 15–19 June 2020; pp. 1–5. [Google Scholar]
- Deebak, B.; Al-turjman, F. Privacy-preserving in smart contracts using blockchain and artificial intelligence for cyber risk measurements. J. Inf. Secur. Appl. 2021, 58, 102749. [Google Scholar] [CrossRef]
- ISACA Information Systems Audit and Control Association. COBIT® 2019 Framework: Governance and Management of Enterprise IT; ISACA Information Systems Audit and Control Association: Schaumburg, IL, USA, 2019. [Google Scholar]
- ISO/IEC 27005; Information Technology—Security Techniques—Information Security, Cybersecurity and Privacy Protection—Guidance on Managing Information Security Risks. ISO/IEC International Organization for Standardization/International Electrotechnical Commission: Geneva, Switzerland, 2022.
- IIA Institute of Internal Auditors. The IIA’s Three Lines Model: An Update of the Three Lines of Defense; IIA Institute of Internal Auditors: Lake Mary, FL, USA, 2022. [Google Scholar]
- Deloitte Deloitte Touche Tohmatsu Limited. Modernizing the Three Lines of Defense Model; Deloitte Deloitte Touche Tohmatsu Limited: London, UK, 2020. [Google Scholar]
- Eulerich, M. The New Three Lines Model for Structuring Corporate Governance—A Critical Discussion of Similarities and Differences. Entrep. Soc. Sci. J. 2021, 18, 180–187. [Google Scholar]
- BRASIL Banco Central do Brasil. Regulação Prudencial—Resolução CMN N° 4.553 De 30/1/2017; BRASIL Banco Central do Brasil: Brasília, Brazil, 2017.
- NIST National Institute of Standards and Technology. The NIST Cybersecurity Framework (CSF) 2.0; NIST National Institute of Standards and Technology: Gaithersburg, MD, USA, 2024.
- European Union. Directive (EU) 2022/2555 (NIS2) on Measures for a High Common Level of Cybersecurity Across the Union; European Union: Brussels, Belgium, 2023.
- PCI Security Standards Council. PCI DSS v4.0—Payment Card Industry Data Security Standard; PCI Security Standards Council: Wakefield, MA, USA, 2022. [Google Scholar]
- European Union. Digital Operational Resilience Act (DORA)—Regulation (EU) 2022/2554; European Union: Brussels, Belgium, 2025.
- Monetary Authority of Singapore. Technology Risk Management Guidelines; Monetary Authority of Singapore: Singapore, 2021.
- Brazilian National Monetary Council. Resolution CMN No. 4,879—On Internal Audit Activities in Financial Institutions; Brazilian National Monetary Council: Brasília, Brazil, 2020.
- Brazilian National Monetary Council. Resolution CMN No. 4,893—On Security Policy Implementation and Effectiveness Monitoring Mechanisms; Brazilian National Monetary Council: Brasília, Brazil, 2021.
- Central Bank of Brazil. Normative Instruction BCB No. 305—Open Finance Security Manual Version 4.0; Central Bank of Brazil: Brasília, Brazil, 2022.
- Cai, T. Continuous Auditing and Risk Monitoring: Implementation with Automation. ISACA J. 2024, 5. [Google Scholar]
- Eulerich, M.; Fligge, B.; Lopez-Kasper, V.I.; Wood, D.A. Patience Is Key: The Time It Takes to See Benefits from Continuous Auditing. Account. Horizons 2024, 39, 69–86. [Google Scholar] [CrossRef]
- Jada, I.; Mayayise, T.O. The impact of artificial intelligence on organisational cyber security: An outcome of a systematic literature review. Data Inf. Manag. 2023, 8, 100063. [Google Scholar] [CrossRef]
- Taiwo, P.; Akoto-Bamfo, D.; Kpakpa, C.T.; Panful, B.; Oware, D. Evaluating the role of cybersecurity audits in protecting the US capital market. World J. Adv. Res. Rev. 2025, 25, 974–980. [Google Scholar] [CrossRef]
- Anand, A.; Chirputkar, A.; Ashok, P. Mitigating Cyber-Security Risks using Cyber-Analytics. In Proceedings of the 7th International Conference on Trends in Electronics and Informatics (ICOEI 2023), Tirunelveli, India, 11–13 April 2023. [Google Scholar]
- Schreiber, A.; Schreiber, I. AI for cyber-security risk: Harnessing AI for automatic generation of company-specific cybersecurity risk profiles. Inf. Comput. Secur. 2025; ahead-of-print. [Google Scholar]
- Ali, S.M.; Razzaque, A.; Yousaf, M.; Shan, R.U. An Automated Compliance Framework for Critical Infrastructure Security Through Artificial Intelligence. IEEE Access 2025, 13, 4436–4459. [Google Scholar] [CrossRef]
- Almaqtari, F.A. The Role of IT Governance in the Integration of AI in Accounting and Auditing Operations. Economies 2024, 12, 199. [Google Scholar] [CrossRef]
- Jiang, W. Cybersecurity Risk and Audit Pricing—A Machine Learning-Based Analysis. J. Inf. Syst. 2024, 38, 91–117. [Google Scholar] [CrossRef]
- Sabillon, R.; Higuera, J.R.B.; Cano, J.; Higuera, J.B.; Montalvo, J.A.S. Assessing the Effectiveness of Cyber Domain Controls When Conducting Cybersecurity Audits: Insights from Higher Education Institutions in Canada. Electronics 2024, 13, 3257. [Google Scholar] [CrossRef]
- Saravanan, S.; Menon, A.K.; Saravanan, K.; Gopalakrishnan, J. Cybersecurity Audits for Emerging and Existing Cutting Edge Technologies. In Proceedings of the 2023 IEEE International Symposium (ISED 2023), Dehradun, India, 15–17 December 2023. [Google Scholar]
- Sabillon, R.; Bermejo Higuera, J.R. New Validation of a CyberSecurity Audit Model to Audit the Cybersecurity Program in a Canadian Higher Education Institution. In Proceedings of the 2023 Conference on Information Communications Technology and Society (ICTAS), Durban, South Africa, 8–9 March 2023; pp. 1–6. [Google Scholar]
- Shalabi, K.; Al-Fayoumi, M.; Al-Haija, Q. Enhancing Financial System Resilience Against Cyber Threats via SWIFT Customer Security Framework. In Proceedings of the 2023 International Conference On Information Technology (ICIT), Kyoto, Japan, 14–17 December 2023; pp. 260–265. [Google Scholar]
- BRASIL Banco Central do Brasil. Relatório de Estabilidade Financeira N° 26; BRASIL Banco Central do Brasil: Brasília, Brazil, 2024.
- Gordieieva, T.; Tsaturian, A. Analysis of trends and determinants of the ‘Big 4’ companies in the global audit market. Technol. Audit. Prod. Reserv. 2023, 4, 6–11. [Google Scholar] [CrossRef]
- Staveren, M. What can controllers and internal auditors do to support risk ownership. Maandbl. Voor Account. Bedrijfsecon. 2021, 95, 261–268. [Google Scholar] [CrossRef]
- Eling, M.; Elvedi, M.; Falco, G. The Economic Impact of Extreme Cyber Risk Scenarios. North Am. Actuar. J. 2022, 27, 429–443. [Google Scholar] [CrossRef]
- Kikuchi, M.; Okubo, T. Cyber Governance Complex in Firms. In Proceedings of the 2nd International Conference on Control and Computer Vision, Jeju Island, Republic of Korea, 15–18 June 2019. [Google Scholar]
- Brunner, M.; Sauerwein, C.; Felderer, M.; Breu, R. Risk Management Practices in Information Security: Exploring the Status Quo in the DACH Region. Comput. Secur. 2020, 92, 101776. [Google Scholar] [CrossRef]
- ISACA Information Systems Audit and Control Association. Risk IT Framework for IT Risk Management—A Practical Application for the Risk IT Framework; ISACA Information Systems Audit and Control Association: Schaumburg, IL, USA, 2020. [Google Scholar]
- Bank for International Settlements (BIS). Cyber-resilience: Range Of Practices; BCBS Basel Committee on Banking Supervision—Bank for International Settlements (BIS): Basel, Switzerland, 2018. [Google Scholar]
- Setyaningrum, D.; Kuntadi, C. The effects of competence, independence, audit work, and communication on the effectiveness of internal audit. J. Econ. Bus. Account. Ventur. 2019, 22, 39–47. [Google Scholar] [CrossRef]
- Johari, R.; Razali, F.; Hashim, A. Enterprise Risk Management: Internal Auditor’s Role Perspective. Int. J. Acad. Res. Account. Financ. Manag. Sci. 2022, 12, 1–14. [Google Scholar] [CrossRef] [PubMed]
- Hubbard, D.; Seiersen, R. How to Measure Anything in Cybersecurity Risk; John Wiley & Sons, Inc.: Hoboken, NJ, USA, 2016. [Google Scholar]
- Zaidirina, L.; Bangsawan, S. Implementation of corporate governance and mandatory disclosure in the Indonesian banking sector: Good news or bad news. Int. J. Monet. Econ. Financ. 2017, 10, 281–294. [Google Scholar] [CrossRef]
- Dacorogna, M.; Debbabi, N.; Kratz, M. Building up Cyber Resilience by Better Grasping Cyber Risk Via a New Algorithm for Modelling Heavy-Tailed Data. Eur. J. Oper. Res. 2022, 311, 708–729. [Google Scholar] [CrossRef]
- IBM International Business Machines. Cost of a Data Breach Report 2020; IBM International Business Machines: Armonk, NY, USA, 2020. [Google Scholar]
- Bardin, L. Análise de Conteúdo; Edições 70—Almedina Brasil: São Paulo, Brazil, 2016. [Google Scholar]
- Deloitte Deloitte Touche Tohmatsu Limited. Risk Management in the Digital Age—Bitcoin Futures and Hedge Accounting; Deloitte Deloitte Touche Tohmatsu Limited: London, UK, 2019. [Google Scholar]
- IIA Institute of Internal Auditors. Global Perspectives & Insights: Cybersecurity; IIA Institute of Internal Auditors: Lake Mary, FL, USA, 2023. [Google Scholar]
- Muhsyaf, S.; Cahyaningtyas, S.; Sasanti, E. Three Line of Defense: An Effective Risk Management. In Proceedings of the 18th International Symposium On Management (INSYMA 2021), Online, 27–28 May 2021. [Google Scholar]
- BCI Business Continuity Institute. Good Practice Guidelines; BCI Business Continuity Institute: Reading, UK, 2018. [Google Scholar]
- USA Office of Cybersecurity, Energy Security, and Emergency Response. Cybersecurity Capability Maturity Model (C2M2)—Version 2.1; USA Office of Cybersecurity, Energy Security, and Emergency Response: Washington, DC, USA, 2022.
Segment | Composition | Size | Number of Institutions |
---|---|---|---|
S1 | Banks | Greater than or equal to 10% of GDP (Gross Domestic Product) or relevant international activity | 6 |
S2 | Banks smaller than 10% of GDP and other institutions larger than 1% of GDP | From 1% to 10% of GDP | 6 |
S3 | Banks and non-banking institutions | From 0.1% to 1% of GDP | 58 |
S4 | Banks and non-banking institutions | Less than 0.1% | 366 |
S5 | Non-banking institutions with simplified risk profile | Less than 0.1% | 855 |
Segment | Number of Interviewees | (%) |
---|---|---|
S1 | 8 | 50% |
S2 | 2 | 12.5% |
S3 | 2 | 12.5% |
S4 | 1 | 6.25% |
S5 | 1 | 6.25% |
External Audit | 2 | 12.5% |
Total | 16 | 100% |
Id. | Question | References |
---|---|---|
Q01 | Tell us a little about your academic background and professional experiences. | |
Q02 | How would you describe your current role in relation to cybersecurity and/or Internal Audit? | |
Q03 | How do you believe the organizational structure should work, in terms of lines, in relation to cybersecurity? | [14,28,29,54] |
Q04 | How can an organization include cyber risk management in its corporate strategy? | [22,55,56,57] |
Q05 | How do you see the role of internal audit in cyber risk management? | [17,55,58,59] |
Q06 | How can internal audit work and collaborate with other areas of the company to identify and mitigate cyber risks? | [13,60,61] |
Q07 | How can auditing help an organization monitor and assess potential cyber threats? | [22,23,24] |
Q08 | What practices or frameworks do you consider essential to help auditing assess how the organization manages and mitigates cyber risks? | [9,25,31] |
Q09 | How does internal auditing assess the effectiveness of the cybersecurity controls implemented by the organization? | [3,16,17] |
Q10 | What metrics or indicators can be used by internal audit to measure the effectiveness of cybersecurity controls? | [12,62] |
Q11 | How can internal audit contribute to ensuring compliance with standards and regulations related to cybersecurity? | [12,63,64] |
Q12 | How can nonconformities identified by audit be addressed and communicated within the organization? | [17,55,58,65] |
Q13 | Based on your experiences, what are the main lessons learned about internal audit and/or cyber risk? | [56] |
Q14 | What trends and innovations in the area of cybersecurity and/or audit do you consider most relevant for the coming years? | [56] |
Evaluating the Effectiveness of Cybersecurity Controls |
---|
How internal audit can evaluate the effectiveness of cybersecurity controls implemented in institutions. |
|
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2025 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Ferreira, L.V.A.; Alves, C.A.d.M.; Peotta de Melo, L.; Nunes, R.R. Internal Audit Strategies for Assessing Cybersecurity Controls in the Brazilian Financial Institutions. Appl. Sci. 2025, 15, 5715. https://doi.org/10.3390/app15105715
Ferreira LVA, Alves CAdM, Peotta de Melo L, Nunes RR. Internal Audit Strategies for Assessing Cybersecurity Controls in the Brazilian Financial Institutions. Applied Sciences. 2025; 15(10):5715. https://doi.org/10.3390/app15105715
Chicago/Turabian StyleFerreira, Lucas Vinicius Andrade, Carlos André de Melo Alves, Laerte Peotta de Melo, and Rafael Rabelo Nunes. 2025. "Internal Audit Strategies for Assessing Cybersecurity Controls in the Brazilian Financial Institutions" Applied Sciences 15, no. 10: 5715. https://doi.org/10.3390/app15105715
APA StyleFerreira, L. V. A., Alves, C. A. d. M., Peotta de Melo, L., & Nunes, R. R. (2025). Internal Audit Strategies for Assessing Cybersecurity Controls in the Brazilian Financial Institutions. Applied Sciences, 15(10), 5715. https://doi.org/10.3390/app15105715