IIA Releases New Global Technology Audit Guide on Insider Threat Programs

This GTAG helps internal auditors understand insider threats and related risks by providing an overview of common traits of main players, key risks, and potential impacts. Additionally, the guide presents security frameworks, techniques, considerations, and resources that can help during the planning and execution of audit engagements.

Key terms in the insider threat universe are defined, and the guide offers recommendations auditors can use to improve existing insider threat programs or create new programs. It distinguishes between malicious and nonmalicious incidents and describes behaviors that may precede a threat action.

By becoming aware of insider threats and the associated risks and by learning about insider threat programs, internal auditors have a tremendous opportunity to add value by helping their organizations strengthen governance, risk management, and control processes.

Additionally, this guidance will:

• Provide a greater understanding and appreciation for insider threats.
• Describe the typical actors who present insider threats in their organizations, as well as how to identify them and recognize suspect behaviors.
• List resources available to assist in identifying, monitoring, and reacting to insider threats.
• Explain how to develop and deliver communications to senior management and the board.
• Develop an audit approach to address specific insider threats that exist in individual organizations in a collaborative fashion with IS leadership and management.
• Outline how to use available references/resources to assist and support auditors in expanding their knowledge and skills.

IIA members are invited to download this guidance and all guidance free, as a benefit of membership. Nonmembers may purchase Supplemental Guidance by visiting the IIA Bookstore.