A
AcadiFi
Core Conceptscia

Auditing Cybersecurity: A CIA Framework for Scope, Controls, and Reliable Evidence

AcadiFi Editorial·2026-05-22·19 min read

The Thesis

Auditing cybersecurity is not the same as testing IT general controls. ITGCs focus on the integrity of financial reporting systems. Cybersecurity audit covers the protection of confidentiality, integrity, and availability of all information assets, including those outside the financial reporting boundary.

Internal auditors increasingly find that the cybersecurity audit is the most-asked-about engagement on their plan. Audit committees want assurance that the organization can identify, protect against, detect, respond to, and recover from cyber incidents. The CIA exam tests whether candidates can scope this engagement properly, choose evidence that actually supports a conclusion, and avoid the trap of producing a long list of low-value findings.

The Decision Map

flowchart TD A["Cybersecurity audit request"] --> B["Map NIST CSF functions to in-scope risks"] B --> C["Identify, Protect, Detect, Respond, Recover"] C --> D["For each function, identify control objectives"] D --> E["Map controls to evidence sources"] E --> F["Test design and operating effectiveness"] F --> G["Conclude on each function"] G --> H["Aggregate to overall cybersecurity opinion"]

The scoping step is the most-tested. A common audit failure is to define the engagement as "cybersecurity" with no further structure, leading to a sprawling, unfocused report. The NIST Cybersecurity Framework gives a clear scaffold that can be tailored to organization-specific risks.

NIST CSF Functions and Internal Audit Application

The five core functions of the NIST CSF map naturally to audit objectives.

  • Identify: asset inventory, business environment, governance, risk assessment, supply chain.
  • Protect: access control, awareness training, data security, information protection processes, maintenance, protective technology.
  • Detect: anomaly detection, security monitoring, detection processes.
  • Respond: response planning, communications, analysis, mitigation, improvements.
  • Recover: recovery planning, improvements, communications.

An audit can cover all five or focus on one or two functions for a deep dive. The CIA exam typically frames the question as "which function does this control objective belong to" or "which evidence supports a conclusion about function X."

Identify: The Foundation Most Audits Miss

The Identify function is where many cybersecurity audits fail before they begin. If the organization does not have a complete inventory of information assets, the auditor cannot conclude on whether they are protected.

Audit procedures for Identify:

  • Confirm the existence and completeness of an information asset inventory.
  • Confirm the existence of a data classification scheme and its application to high-value data.
  • Confirm a risk assessment that ranks information assets and treats them according to risk.
  • Confirm that the supply chain (vendors, cloud providers, contractors) is included in the inventory and the risk assessment.

A finding here is often the most consequential. "The organization lacks a complete inventory of internet-facing systems" is a finding that drives recommendations across all other functions.

Protect: Where Most Controls Live

The Protect function includes the controls most candidates think of first when they hear "cybersecurity": access control, multi-factor authentication, encryption, endpoint protection, patching.

Audit procedures for Protect include:

  • Sample user access reviews for evidence of independent review and timely revocation.
  • Confirm MFA on privileged accounts and remote access.
  • Test patch management for high-risk systems (criticality and severity-tiered SLAs).
  • Verify encryption at rest and in transit for sensitive data.
  • Sample security awareness training completion and tested phishing exercises.

Evidence quality matters. A management assertion that "all employees received training" is weaker than a learning management system report with timestamps and completion records. The CIA candidate should choose the higher-quality source.

Detect: The Function That Reveals Incident Capability

The Detect function tests whether the organization can spot something going wrong. Audit procedures:

  • Confirm the existence and tuning of a security information and event management (SIEM) system.
  • Sample alerts and trace from generation through investigation to closure.
  • Test the time-to-detect for selected incidents.
  • Confirm independent review of detection thresholds and false positive rates.

A common finding: alerts exist but no human reviews them, or review happens but with no documented investigation trail.

Respond and Recover: Tested Through Exercises, Not Plans

Many organizations have an incident response plan that has never been exercised. Auditing the existence of the document is not auditing the function.

For Respond:

  • Review tabletop exercise reports from the last 12 to 24 months.
  • Trace at least one real incident from detection through resolution to lessons learned.
  • Confirm communication protocols including breach notification timelines (typically 72 hours under several frameworks, 30 days under HIPAA business associate rules, 4 business days for SEC public company materiality determination).
  • Confirm that the response team has trained alternates.

For Recover:

  • Confirm recovery time objectives and recovery point objectives are defined for critical services.
  • Sample disaster recovery test results from the past year.
  • Test the integrity and isolation of backups (a key control against ransomware).
  • Confirm that recovery exercises include cybersecurity scenarios, not just natural disasters.

Evidence That Supports a Real Opinion

The most common evidence quality problem in cybersecurity audit is over-reliance on management assertions. The CIA candidate should pick evidence in this order of reliability:

  1. Auditor reperformance (e.g., the auditor independently runs a vulnerability scan).
  2. System-generated reports from independent sources (e.g., SIEM logs reviewed by the auditor directly).
  3. Third-party assurance reports (SOC 2 Type II from cloud providers, penetration testing reports from independent firms).
  4. Internal management reports with traceability to source.
  5. Inquiry of management alone (lowest reliability, usually not sufficient on its own).

A finding that says "management does not perform user access reviews" should be supported by an attempt to obtain the review evidence, not just a manager saying they do not do it.

Worked Example: A Cloud Migration Audit

Acme Corp is moving its core systems to a major cloud provider. The audit team is asked to provide assurance.

Scoping decisions:

  • Identify function: confirm the asset inventory now includes cloud resources and that the data classification scheme has been re-applied.
  • Protect function: focus on identity and access management (cloud is identity-centric), encryption keys (who holds them), and configuration management. Cloud Security Posture Management (CSPM) tooling output becomes important evidence.
  • Detect function: confirm cloud-native logs flow to the SIEM and not just to the cloud console.
  • Respond function: confirm the response plan covers cloud-specific scenarios (account takeover, misconfigured storage, S3 bucket exposure).
  • Recover function: confirm backup strategy includes cross-region replication and that restoration has been tested.

Evidence selection:

  • Pull the SOC 2 Type II report from the cloud provider for the period.
  • Inspect the SOC 2 user control considerations and confirm Acme has implemented each.
  • Pull the CSPM tool's configuration report and trace high-severity findings to remediation.
  • Sample IAM permissions for high-privilege accounts and confirm least privilege.

This is much more useful than a generic "are cybersecurity controls in place" engagement.

Common Internal Audit Mistakes

  • Auditing the existence of a document instead of the operation of the function.
  • Treating the SOC 2 report as evidence without checking which controls were tested and whether the user control considerations apply.
  • Focusing only on the Protect function and ignoring Identify and Detect.
  • Writing findings that copy industry frameworks without tying to the organization's specific risk.
  • Aggregating low-value findings instead of fewer high-value findings ranked by risk.

Exam Framing

CIA exam questions on cybersecurity audit typically test:

  1. Mapping a control objective to a NIST CSF function.
  2. Selecting the most reliable evidence for a given assertion.
  3. Identifying scope gaps (e.g., a cybersecurity audit that excludes the supply chain).
  4. Recommending audit procedures for a specific function.

The most consistent test approach: when in doubt, prefer system-generated evidence over inquiry, prefer exercise results over plan existence, and prefer findings tied to specific organizational risk over generic framework gaps.

Ready to level up your exam prep?

Join 2,400+ finance professionals using AcadiFi to prepare for CFA, FRM, and other certification exams.

Start Free Trial — $19/moCompare Plans

Related Articles

Core Concepts

Engagement Supervision: Keeping Audit Findings Accurate When Ratings Are Challenged

8 min read

Core Concepts

Full-Company Internal Control Audits: A Risk-Based Roadmap for CIA Candidates

8 min read

Core Concepts

Who Owns ICFR? A CIA Candidate's Map of Lines of Defense, Control Design, and Fraud Escalation

8 min read