Why internal audit functions should own pen testing

Caleb Pfanstiel

Pen testing teams should report to the internal audit function – here’s why.

Whether an organization outsources or has developed its own penetration testing (pen testing) team, offensive security functions often fall under the purview of information security (IS) or information technology (IT) teams, depending on the size of the organization and the distribution of responsibilities. But what if this seemingly logical assignment of responsibility is flawed? Might pen testing teams belong in a different part of the business?

Internal auditors might not think of themselves as pen testers and vice versa, but these teams share common motivations and purpose. This commonality presents an opportunity for better alignment in an organization. A forward-thinking cybersecurity program should seize this opportunity and integrate its internal audit function and its pen testing team into a cohesive business function. By doing so, organizations can level up their cyber risk management.

Sign up to receive the latest cybersecurity insights on identifying threats, managing risk, and strengthening your organization’s security posture.

Subscribe now

History of the internal audit function and cybersecurity

Given the increasing reliance on technology and the rise of cyberthreats, the internal audit function, originally rooted in financial auditing, has evolved to encompass the evaluation of cybersecurity controls. This expansion of duties has helped organizations address the growing risks associated with data breaches, cyberattacks, and the protection of sensitive information.

In the early 2000s, several high-profile corporate scandals, including Enron and WorldCom, shook investor confidence. In response, the U.S. Congress enacted the Sarbanes-Oxley Act (SOX) in 2002 to enhance corporate governance, financial reporting, and accountability. SOX also introduced requirements for internal controls, including those related to IT and cybersecurity, and created a need for cybersecurity auditors.

The role of a cybersecurity auditor involves evaluating these internal controls and the organization’s cybersecurity policies and procedures. Cybersecurity auditors assess the organization’s ability to protect sensitive data, detect and respond to cyberthreats, and comply with relevant regulations. To do so, these auditors conduct assessments, review documentation, perform technical tests, and provide recommendations to enhance the organization's cybersecurity posture. An example of a technical assessment that cybersecurity auditors perform is a pen test.

Pen testing, red teaming, and control effectiveness testing

To understand why pen testing teams should fall under the internal audit umbrella, it is helpful to understand what a pen test is and how it provides value. A pen test simulates real-world attacks, and it tests the effectiveness of an organization’s defenses, incident response capabilities, and resilience against sophisticated adversaries – played by the pen testing team.

Pen testing teams are sometimes referred to as red teams. Pen testing teams and red teams encompass distinct meanings and roles, but the terms often are used interchangeably to describe groups of security professionals that technically test an organization’s defenses. While a red team assessment is distinct from a pen test, the term “red team” generally refers to the offensive security team at large and encompasses more than just the pen testing function. By acting as an external threat actor and identifying vulnerabilities and weaknesses in an organization’s environment, systems, networks, applications, and processes, the red team can exploit these gaps to gain unauthorized access, extract sensitive information, or disrupt critical operations, thus penetrating the organization’s defenses before a real threat actor can.

With these activities also come validating the effectiveness of an organization’s security controls, testing the organization’s incident response capabilities in response to a simulated attack scenario, and enhancing the organization’s cyber resilience through proactive remediation and mitigation of vulnerabilities and risks.

Conflict of interest for IS and IT

Because pen tests are so technical, some might wonder why internal IS or IT functions wouldn’t be able to perform the functions of a red team. After all, IS and IT teams build, operate, and maintain these systems. This question is valid, but there are several reasons why IS and IT shouldn’t own pen testing, including:

Expertise and skill set. Pen testing requires specialized technical skills and expertise in identifying vulnerabilities, exploiting them, and simulating real-world attacks. While internal IS and IT personnel possess knowledge of technologies and software, they might not have the same level of technical expertise on pen testing as dedicated pen testers and attackers. Alternatively, IT might have the skill set to perform pen testing but lack the bandwidth to execute these responsibilities on top of existing workloads. Pen testers are generally in a dedicated role focused on performing these assessments and often have backgrounds in cybersecurity, ethical hacking, and offensive security techniques, which are not always part of the skill set of internal IS and IT personnel.
Limited perspective. Internal IS and IT departments typically have a deep understanding of the organization’s infrastructure, systems, and security controls. While this knowledge is valuable, it can also limit their perspective during pen testing. They might unintentionally overlook certain attack vectors or vulnerabilities that an external attacker might exploit. An external perspective, such as one provided by an independent third-party pen testing team, can bring fresh insights and identify blind spots that the internal IS and IT departments might miss.
Lack of objectivity. Objectivity is crucial in pen testing to achieve an unbiased assessment of an organization’s security posture. As part of the organization, internal IS and IT departments might find it challenging to maintain complete objectivity during the testing process. They might fear that the testing process could disrupt critical services, cause downtime, or expose sensitive information. Worse, they might be influenced by internal politics, personal relationships, or a desire to protect their own reputation. This fear or lack of objectivity can compromise the integrity and effectiveness of the pen testing exercise and result in missed critical vulnerabilities that need to be addressed.

In short, allowing internal IS or IT teams to own the pen testing process might create conflicts of interest or compromise their independence, as they would be testing controls that they themselves have implemented or assessed.

Challenges of the internal audit function owning pen testing

So, if it makes sense for the internal audit function to own pen testing, what are the barriers to this integration?

Resource allocation is one key challenge as it requires investing in skilled auditors, red team members, and the necessary tools and technologies to perform adequate and comprehensive testing. Most organizations can’t find enough talent for their security teams as it stands, so hiring dedicated pen testing teams is difficult. Alternatively, organizations that hire dedicated pen testers might have trouble keeping them busy enough to justify full-time employee positions.
Effective integration also requires strong collaboration and communication between the red team and the internal audit function, and those teams might have different perspectives, methodologies, and reporting structures. The internal audit team members might have to loosen their understanding of an audit program to allow the fluidity required in a pen test. Conversely, red team members might need to tighten up their documentation to meet internal audit standards.
Organizational resistance is a common barrier. Internal audit teams might find that IT or IS teams don’t want to give up control or don’t trust them to perform such technical testing correctly.

Overcoming the hurdles of integration

To overcome the challenges associated with integrating red teams into internal audit’s cybersecurity program, organizations can take several steps.

First, organizations should prioritize resource allocation by investing in skilled personnel, providing adequate budgets, and acquiring the necessary tools and technologies based on the scope and depth of the required testing. As finding qualified personnel might be difficult, organizations can engage third-party specialists for the expertise required to perform the testing while internal audit assumes a leadership role.
Second, the differing philosophies and methodologies between internal audit and red teams need to be shared and understood by both parties. Although the specific methods of testing differ, the goals are the same, so focusing on the commonalities and being flexible with the methodologies is key. Developing and maintaining the disparate required skill sets can be achieved through training programs and professional development opportunities.
Finally, fostering collaboration and communication between the security team and internal audit is crucial. This collaboration can be achieved through regular meetings, sharing insights and findings, and establishing a common understanding of objectives. Transparency and streamlined reporting allow for a no-surprises environment that helps both teams make sure that identified gaps are tracked and addressed in a timely manner.

Envisioning a unified approach

The integration of pen testing teams into the internal audit function could enhance both offerings. The internal audit team could provide insights into the organization’s policies, procedures, and compliance requirements while the pen testing teams could bring a fresh perspective and specialized expertise in identifying vulnerabilities and gaps. This collaboration could yield a more comprehensive assessment of security controls and help identify previously overlooked gaps. Internal audit-driven pen testing could also provide independent oversight of security controls and additional accountability to IT teams.

Internal audit oversight of the pen testing team also could result in better integration into the risk management function. Assessment findings could be risk-ranked more accurately, the findings could be tracked more judiciously, and formal remediation plans could be drawn up with responsibilities and timelines for resolution appropriately assigned. Internal audit’s monitoring could track the progress of remediation efforts and confirm that the identified gaps are effectively addressed.

By taking these steps to make pen testing teams a function of internal audit, organizations can successfully overcome the challenges and achieve a seamless integration of the internal audit and red teams in their cybersecurity programs. Once fully integrated, organizations might find that their cybersecurity maturity improves so that they can better measure and monitor cybersecurity risks, threats, and controls and address compliance and governance more proactively.

Cybersecurity Penetration testing Security assessments Red team Regulation and compliance Cybersecurity management

Manage risks. Monitor threats. Enhance digital security. Build cyber resilience.

Discover how Crowe cybersecurity specialists help organizations like yours update, expand, and reinforce protection and recovery systems.

Explore services