Internal Audit Flags Missing Cybersecurity Controls Across 12 Subsidiaries Under Shared Governance Model

The Challenge

The internal audit team at NorthRiver Holdings, a mid-sized Canadian conglomerate with twelve subsidiaries in energy, logistics, and manufacturing, began its annual cybersecurity audit expecting a routine review. Instead, the team uncovered widespread deficiencies that had quietly accumulated across multiple business units under a shared governance model.

Although a corporate cybersecurity policy existed, implementation varied widely. Only four subsidiaries had endpoint protection aligned with corporate standards. Several entities operated with outdated firewalls and lacked documented incident response plans. Three divisions had no quarterly access reviews, which left privileged accounts active after staff departures.

The shared governance design, once viewed as a way to balance efficiency and autonomy, created fragmented accountability. Subsidiaries maintained separate IT leadership and reporting lines. Policies set at the holding company level were not consistently enforced or monitored. Without a centralized risk dashboard, executives lacked visibility into compliance status until the audit findings arrived.

The risks were not only technical. Inconsistent controls increased the likelihood of non-compliance with PIPEDA. Customer data was stored without standardized encryption, and third-party vendors were onboarded without uniform due diligence. As a result, overlapping exposures emerged that no single team fully understood.

Operational disruption and reputational concerns followed. Business unit leaders said they lacked the resources and guidance needed to implement corporate policies. The audit team reminded senior leadership and the board that ultimate accountability for governance rests at the parent level under Canadian corporate oversight expectations.

By the end of the audit cycle, NorthRiver faced a long list of issues: missing security baselines, inconsistent vulnerability management, weak attestation procedures, and limited oversight. Without corrective action, the organization risked internal control failures and regulatory non-compliance. The lesson was clear. Shared governance works only when accountability, unified standards, and continuous attestation are present.

Our Solution

As the engaged Cybersecurity and Privacy Risk Advisory Partner, we focused on restoring unified governance and measurable compliance across all twelve subsidiaries.

Service components:
1. Governance realignment: Implemented a centralized framework mapped to ISO/IEC 27001 and the NIST CSF, with defined roles, decision rights, and reporting.
2. Control remediation and standardization: Upgraded firewalls, deployed enterprise endpoint protection, enforced quarterly access reviews, and documented policies and procedures.
3. Audit and attestation integration: Deployed a Governance, Risk, and Compliance (GRC) platform to enable control ownership, evidence collection, and scheduled attestations.
4. Training and change management: Delivered targeted sessions for executives, IT leaders, and control owners, with emphasis on responsibilities under PIPEDA and the CBCA.

The Value

After a nine-month remediation program, NorthRiver realized measurable improvements:
– 87% reduction in unresolved control deficiencies compared with the prior audit.
– 100% subsidiary alignment with corporate cybersecurity policies and annual attestations completed.
– 60% improvement in audit readiness scores, validated by an external assessor.
– Consistent PIPEDA safeguards in place, including standardized encryption and access controls for personal information.
– Real-time oversight via a single governance dashboard for executives and the board.

These results strengthened regulatory confidence, reduced operational risk, and offered clear visibility into the organization’s cyber posture.

Implementation Roadmap

Phase 1: Diagnostic and Risk Mapping (Months 1–2)
– Validate internal audit findings across all subsidiaries.
– Map gaps to ISO/IEC 27001 and NIST CSF controls.
– Identify high-risk areas that affect PIPEDA compliance.

Phase 2: Governance and Policy Integration (Months 3–4)
– Establish a centralized policy and standard repository.
– Publish templates for risk assessment, incident response, and access review.
– Define board and subsidiary reporting lines and meeting cadence.

Phase 3: Technology and Control Deployment (Months 5–7)
– Roll out endpoint protection, firewall upgrades, and unified IAM.
– Onboard all entities to the GRC platform with clear control ownership.
– Standardize patch management and hardening baselines.

Phase 4: Training, Attestation, and Validation (Months 8–9)
– Deliver role-based training for leaders and control owners.
– Run quarterly attestation cycles with evidence collection in the GRC tool.
– Conduct a follow-up audit to confirm control effectiveness and close remaining gaps.

Outcome: NorthRiver moved from fragmented oversight to a cohesive and compliant cybersecurity program. The board gained reliable visibility into enterprise risk, and subsidiaries operated under clear, enforceable standards that improved security and reduced compliance exposure.