Is an internal legacy system still a cyber risk if it is not public-facing?
An application runs on unsupported technology, but IT says it is only reachable from inside the company network. Is that enough for internal audit to close the issue?
No. Internal-only placement may reduce exposure, but it does not eliminate risk. Internal systems can still be affected by lateral movement, compromised credentials, vendor remote access, weak segmentation, removable media, malware, misconfigured firewall rules, or operational failure.
The auditor should ask for evidence. If IT says the system is isolated, internal audit can review network diagrams, firewall rules, allowed ports, access lists, vulnerability review, endpoint protection, logging, backup and restore testing, and incident-response coverage.
The right audit question is not, "Can I personally prove the exact exploit path?" The better question is, "Has management assessed the risk, implemented controls, and accepted the residual exposure at the right level?"
If the residual risk has not been accepted or remediated, internal audit can report a governance and control gap even without acting as the technical security architect.
Master Cybersecurity and Engagement Work with our CIA Course
45 lessons · 90+ hours· Expert instruction
Related Questions
What should an auditor do if a supervisor weakens a supported finding?
How should auditors prepare for a technical exit meeting?
When should audit quality concerns be escalated beyond the engagement team?
How does business knowledge affect internal audit quality?
Where should an auditor begin a full-company internal control audit?
Join the Discussion
Ask questions and get expert answers.