Internal Audit Strategies for Assessing Cybersecurity Controls in the Brazilian Financial Institutions

Abstract

The global financial sector’s accelerating digitalization, propelled by the growing demand for rapid and tailored services, is increasingly vulnerable to complex cyber threats. This vulnerability underscores the critical need for comprehensive and coordinated cybersecurity efforts across all organizational levels. In this context, this study examines the role of internal audit as the third line of defense, investigating its potential to improve the effectiveness of cybersecurity controls within Brazilian financial institutions. The research aims to bridge existing gaps in cyber risk management by employing a qualitative methodology centered on semi-structured interviews with internal auditing, risk management, and information security experts across ten financial institutions. The data collected were analyzed using content analysis, enabling the categorization and interpretation of current practices and challenges in cyber risk management. The results indicated two perspectives on the depth of assessments conducted by internal audit and reinforced the fundamental role of internal audit in strengthening cybersecurity defenses: whether through high-level assessments of governance and management or penetration testing in specific scenarios, it can validate and increase the effectiveness of implemented controls. In addition, the study highlights the usefulness of data analytics for continuous auditing, identifying it as a proactive approach for the early detection of emerging cyber risks. These insights contribute significantly to the scholarly discourse on internal auditing’s role in the improvement of a secure and resilient organizational environment. They also offer actionable strategies for financial institutions seeking to integrate effective cyber risk management practices, thus reinforcing the sector’s preparedness against increasingly sophisticated cyber threats.