Internal Audit Flags Missing Cybersecurity Controls Across 12 Subsidiaries Under Shared Governance Mode

The Challenge

Northern Equinox Holdings, a mid-sized Canadian conglomerate, entered its annual internal audit expecting routine checks on financial reporting, HR documentation, and IT access. Instead, the audit team uncovered a systemic problem. Cybersecurity controls were inconsistent across 12 subsidiaries that operated under a shared governance model. What was designed for efficiency had become a source of risk.

Over several years of acquisition-driven growth, the company centralized finance, HR, and IT. Subsidiaries, however, interpreted corporate policies differently and implemented controls at different maturity levels. The audit identified missing incident response plans, no multifactor authentication for critical systems, and outdated encryption in several divisions. One cloud storage bucket held sensitive HR data, unencrypted and accessible to anyone with the link.

The gaps were not only technical. Governance committees met quarterly, but cybersecurity metrics were not reviewed alongside financial results. Local managers, unfamiliar with PIPEDA and relevant provincial privacy laws, assumed head office handled compliance. In reality, responsibility had been delegated without clear accountability.

Legal counsel warned that a privacy incident could expose the parent entity to penalties and reputational damage. External auditors considered the weaknesses potentially material, which raised the risk of regulatory scrutiny and investor concern. The lesson was clear. Shared governance without shared accountability had created a shared vulnerability.

Our Solution

We delivered a focused Audit and Attestation engagement to re-align governance and standardize controls.

1. Enterprise Control Framework Developed a single, organization-wide cybersecurity policy set covering data protection, access management, secure configuration, and incident response. Responsibilities and reporting lines were clarified for each subsidiary.

2. Risk-Based Remediation Plan Quantified control deficiencies, assigned severity ratings, and mapped requirements to PIPEDA and CCCS Baseline Controls. Set remediation priorities based on risk.

3. Board-Level Integration Embedded cybersecurity metrics into quarterly audit committee meetings with dashboards tracking incidents, patching cadence, MFA coverage, and vendor posture.

4. Subsidiary Enablement Conducted workshops for IT and compliance leads to ensure consistent implementation of MFA, encryption, and centralized logging.

5. Attestation Readiness Prepared evidence aligned to ISO/IEC 27001 and SOC 2 readiness to strengthen assurance for stakeholders.

The Value

• 92% reduction in open cybersecurity audit findings within six months.
• 100% subsidiary adoption of standardized incident response and encryption protocols.
• Board oversight via dashboards improved accountability and reduced risk escalation time.
• Material weakness removed by external auditors after validation.
• SOC 2 Type I readiness, enhancing partner and investor confidence.

These outcomes reduced the likelihood and impact of privacy incidents, improved compliance, and positioned cybersecurity as a managed business risk.

Implementation Roadmap

Phase 1: Assessment and Discovery, Months 1–2 – Full-scope internal control audit across 12 subsidiaries. – Mapped practices to PIPEDA and CCCS baseline controls. – Prioritized risks and assigned remediation owners.

Phase 2: Framework and Governance Alignment, Months 3–4 – Published unified control framework and minimum baselines. – Updated policies and procedures, including incident response and access control. – Launched executive dashboards for audit committee review.

Phase 3: Technical Remediation and Training, Months 5–6 – Rolled out MFA for high-risk accounts. – Enforced encryption and centralized logging organization-wide. – Delivered targeted training for IT, compliance, and line managers.

Phase 4: Validation and Continuous Improvement, Months 7–8 – Re-audit to verify remediation completion and effectiveness. – Delivered attestation readiness packet for external auditors. – Established continuous control monitoring with alerts and quarterly tuning.