Original article ISPreview UK:Read More
The Chartered Institute of Internal Auditors (CIIA), which recently complained that some of the UK’s major broadband ISPs operated without an internal audit (here) – potentially exposing them to “unchecked risks and increasing the likelihood of corporate collapse“, has now sought to drum up new business by pressing the government to make it a requirement of their revised telecoms security code.
The government are currently in the process (here) of updating the already fairly recent Telecommunications Security Code of Practice (2022). But the Chartered IIA this week “warns that the current proposals do not go far enough” and points to how it remains “silent on the critical role of internal audit in providing independent and objective assurance to boards and senior management that telecoms security risks are being identified, managed and controlled effectively“.
For the uninitiated, the core role of internal audit is to provide independent and objective assurance that an organisation’s risk management, governance, and internal control processes are operating effectively, thereby ensuring the organisation can achieve its goals (although audits aren’t a 100% guarantee of this). In the UK and Ireland, the requirement for having an internal audit function is not universal across all types of organisations.
We should point out that Ofcom’s regulation via their General Conditions of Entitlement (industry rules), which are designed to protect consumers, do require broadband and phone providers to carry out regular audits of their Metering and Billing to ensure customers are billed correctly. But this is not quite the same thing as the deeper and wider role of audits being highlighted by the Chartered IIA.
Anne Kiem OBE, Chief Executive of the Chartered IIA, said:
“Telecommunications are the backbone of our digital economy and touch all of our daily lives. Yet too many telecoms providers operate without the independent assurance that internal audit brings to business-critical risks, despite increasing digital security threats. Ministers need to recognise the vital role of internal audit in supporting robust governance in the Telecommunications Security Code by setting a clear expectation for companies to obtain independent assurance.”
The Chartered IIA’s consultation response thus recommends that the Telecommunications Security Code is “strengthened” by:
➤ Recommending that the Code make clear that a telecom company’s security governance framework should integrate and be consistent with internal and external audit and assurance mechanisms. This aligns and is consistent with a similar requirement in DSIT’s Cyber Governance Code, published in April.
➤ Requiring telecoms providers to explain how they obtain independent assurance – whether through internal audit or equivalent mechanisms – so boards can demonstrate that security measures are effective in practice.
We suspect that more than a few broadband ISPs and network operators may view see this as being just another sneaky way for auditors to drum up a bit of extra business, forced through by new government legislation. But the CIIA argues that it’s “about protecting people, businesses, and the UK’s digital economy. By ensuring a stronger focus on governance, assurance and oversight … the Government can help build a more resilient and secure telecoms sector.”