The added value of internal audit in strengthening cyber resilience in the public sector

Who is the Federal Internal Audit (FIA) 

The FIA, created by Royal Decree in 2016, is an independent body administratively hosted by the FPS Chancellery of the Prime Minister. Its audit mandate covers a diverse landscape of 19 large federal public services and 27 associated smaller entities with accounting autonomy, employing a total of 84,594 full-time employees and operating a budget of €5.8 billion.  

The FIA’s primary aim is to assess the effectiveness of organizational control systems and risk management frameworks within these entities. It conducts a wide range of audits, including operational, financial, IT, and forensic audits, the latter being driven by the whistleblower directive. The focus of the FIA’s evaluations is to improve the federal administration’s functioning. By providing recommendations and ensuring their follow-up, they help public organizations achieve their goals. 

The FIA works under the supervision of the Audit Committee of the Federal Administration, which monitors the performance and quality of its audits. Importantly, the FIA follows the principle of the ‘single audit,’ avoiding duplication of audit efforts across various oversight bodies. It collaborates with other oversight bodies such as the Court of Auditors and the Inspection of Finances. 

The FIA’s role in cybersecurity audits 

As an auditor the FIA has the responsibility to act on the most important organizational risks. Cybersecurity and data security remain at the top of the list with the volume and velocity of attacks rising rapidly because of new artificial intelligence (AI) hacking techniques. The FIA has a dedicated team within its ranks specializing in cybersecurity and continues to invest in this growing focus area. 

Since 2019, the FIA has been actively involved in IT security audits, addressing key vulnerabilities in the federal entities it oversees. Raising awareness of the entities’ management, these audits aim to provide assurance on operational, compliance and reputational risk to the organisations’ cyber resiliency as well as to minimize the organisations’ exposure to the risk of misconfigurations and weaknesses in their environment.

The IT security audits performed by the FIA consist of two components. The first part involves a security capabilities audit based on interviews and evidence. The second part is about vulnerability assessments and technical testing. In the future, entities will be able to perform tests themselves, but the FIA initially performed these tests to raise awareness on cybersecurity issues on a broader level. For its IT security audits the FIA uses multiple methodologies, including the CCB’s Baseline Security Guidelines, ISO 27001 and NIST frameworks and specialized support by subcontractors. 

While public organisations have become more aware of cybersecurity risks, the FIA acknowledges that the overall maturity of public institutions is still quite low, and it is an important challenge to improve it. Yet, the FIA is in a unique position to offer a broad view on cybersecurity in the public sector and compare results between federal entities. This was indeed done during a ‘lessons learned’ workshop in 2023 offering an opportunity to create synergies between entities to tackle challenges together within a strategy of knowledge sharing. 

Shifting gears with NIS2 ahead 

The NIS2 Directive is set to have a significant impact on the cybersecurity landscape in the EU, and by extension, the public sector in Belgium. NIS2 introduces stricter cybersecurity obligations for critical infrastructure and essential services. The FIA has been designated as a Conformity Assessment Body (CAB) under a Royal Decree issued in June 2024. An authorisation by CCB is required to perform the conformity assessments and verification audits of the federal entities.  

As do other Belgian organisations, public entities have some time to comply with the NIS2 requirements. For the conformity assessment, they have three options. They can either have their verification/certification done by a CAB (such as the FIA), opt for an ISO27001 certification or turn to the CCB directly for an inspection. It will be a challenge for the FIA to have a clear understanding of which option each entity will choose. 

The FIA is set to help the public entities within its audit landscape with NIS2. In 2024, it conducted an audit to evaluate the preparedness of entities for the implementation of NIS2. This evaluation has helped to identify gaps in their cybersecurity frameworks, prioritize areas for improvement, and to compare their current readiness to other entities as well. Based on a self-assessment, the evaluation is to make entities aware of the need for a clear plan, resources, roles and responsibilities in view of NIS2.  

Challenges for the audit function 

While the FIA is well-positioned to support federal entities in strengthening their cybersecurity frameworks, several challenges lie ahead. One clear challenge is the need to reshape the audit approach to reflect the FIA’s new role as a CAB under NIS2. This is why FIA is developing a new governance structure, aligned with as ISO 17029 and 17021-1, based on the principles of impartiality, competence, and continuous training for auditors.  

Another key challenge is the growing demand for skilled cybersecurity professionals. The FIA, like many other organizations, faces difficulties in recruiting and retaining cybersecurity talent. To effectively carry out its expanded responsibilities under NIS2, the FIA will need to invest in upskilling and reskilling its audit staff to meet the evolving demands of cybersecurity audits. 

How internal audit can help strengthen cybersecurity 

Internal audit functions, such as those provided by the FIA, are essential to the public sector’s efforts to strengthen cybersecurity. By providing insights into the relationship between cybersecurity and organizational risk, internal audits can help prioritize responses and control activities. Additionally, auditing for cybersecurity risk mitigation across all relevant facets of the organization ensures comprehensive coverage. Internal audit can also provide assurance in remediation activities, raise risk awareness, and coordinate with cybersecurity risk management. 

Furthermore, internal audit can validate that cybersecurity provisions are integrated into the organization’s business continuity plans and disaster recovery testing efforts. This ensures that the organization is prepared to respond to and recover from cyberattacks.  

Ultimately, as cyber threats grow in complexity, the internal audit function will remain a cornerstone in ensuring that public sector organizations not only comply with regulations like NIS2 but also proactively enhance their cyber resilience.