How Internal Auditors Can Use the DVMS to Strengthen Cyber Risk Scoping and Testing

Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute

Internal audit has become one of the most critical functions in organizations navigating cybersecurity threats, digital transformation, regulatory pressure, and increasing expectations around operational resilience and digital trust.

Historically, internal audit approached technology and cybersecurity primarily through compliance-driven, control-based testing. However, as digital ecosystems become increasingly interconnected and risk becomes more dynamic, internal auditors must adapt their methods.

The Digital Value Management System (DVMS) offers a modern, systems-based approach that enables auditors to understand better and test how people, processes, technology, and governance interact to produce—or fail to produce—digital value outcomes. By leveraging the DVMS architecture, internal auditors can enhance scoping, strengthen testing, improve assurance quality, and deliver insights that are more closely aligned with executive and board expectations.

Understanding DVMS as a Scoping and Testing Framework

The DVMS is built on the integration of three foundational components: Governance Intent, Operational Capability, and Assurance Evidence. These components do not operate independently—they form a closed-loop system that ensures digital programs such as Cybersecurity, GRC, ITSM, and AI are adequately governed, executed effectively, and validated with credible evidence. For internal auditors, this architecture provides a natural structure for scoping audits, identifying systemic weaknesses, and designing tests that evaluate not only the existence of controls but also their effectiveness and outcome reliability.

Traditional audit scoping often begins with a risk register, a set of policies, or a list of controls mapped against frameworks. The DVMS enhances this by enabling auditors to start with a more fundamental question: Is the organization’s digital work system designed in a way that can produce the outcomes leadership expects? This systems-level perspective leads to deeper, more accurate scoping and prevents auditors from spending time on controls that may exist but are irrelevant to real-world outcomes.

Using Governance Intent to Define Audit Scope

Governance Intent represents the organization’s formal expectations, including policies, standards, risk appetite, procedural requirements, and decision-making structures. For internal auditors, Governance Intent becomes one of the most potent tools for scoping. Instead of focusing solely on whether policies exist, auditors can evaluate alignment between governance intent and business reality.

Internal auditors should begin by reviewing key documents, including cybersecurity strategies, risk appetite statements, resilience plans, policy frameworks, and program charters. These documents tell the story of what executives believe is happening. Audit scoping, then, should compare this intended design against operational execution. When governance intent is unclear, incomplete, contradictory, or outdated, auditors can immediately identify areas of scope, such as unclear roles, inadequate oversight, or policy gaps. If governance intent is strong, auditors can scope their testing to verify whether operations and assurance mechanisms align with those intentions.

This gives internal audit a clear, risk-based structure: an audit where governance intent and operational reality diverge.

Evaluating Operational Capability as a Basis for Testing

Operational Capability encompasses the people, processes, technologies, and culture that are responsible for executing work. Internal auditors can utilize this layer of the DVMS to pinpoint areas where testing will have the most significant impact.

Capabilities can be assessed through interviews, workflow analysis, system walkthroughs, and review of process documentation. Instead of only checking whether a control exists, auditors should examine whether the underlying capability can consistently deliver the expected outcome. For instance, a policy may require timely patching. Still, if capacity, skill sets, workflow design, or tool integration are inadequate, the capability cannot meet the intent—even if controls appear to exist on paper.

Internal auditors can use DVMS to classify operational weaknesses, such as:

• misaligned processes
• unclear responsibilities
• inadequate skills or staffing
• outdated technology
• cultural resistance
• fragmented workflows
• siloed teams

Testing should then focus on verifying whether these capabilities can meet expectations, especially under stress, which is a core principle of DVMS.

Using Assurance Evidence to Validate Outcomes

The third DVMS component—Assurance Evidence—is where the internal audit’s role becomes most visible. Assurance Evidence includes metrics, reports, dashboards, logs, artifacts, and documents that demonstrate whether expected outcomes are being achieved.

Internal auditors can use the DVMS intelligence-driven model to test:

1. Does the organization generate evidence that is complete, accurate, and reliable?
2. Does the evidence meaningfully demonstrate whether outcomes are being achieved?
3. Is evidence produced consistently and used by leadership to make decisions?

A common failure uncovered through DVMS-informed testing is that organizations generate large volumes of data but lack a system for transforming that data into actionable insights. Internal auditors can scope and test whether assurance evidence is:

• aligned to governance intent
• relevant to operational capability
• trustworthy under stress
• used by executives and boards to evaluate program performance

If assurance evidence cannot be trusted, the organization cannot assure outcomes—regardless of how strong its governance or operations appear.

Applying DVMS to Risk-Based Scoping

One of the most significant benefits the DVMS brings to internal audit is a more accurate method for scoping risk. Instead of scoping based solely on frameworks, auditors can scope based on systemic alignment.

Internal auditors should begin by mapping:

• governance expectations
• operational capability
• evidence reliability

Where any of the three are misaligned, the DVMS identifies these as risk concentration points. These points should become audit scope priorities because they represent areas most likely to result in operational failures, regulatory non-compliance, and reputational harm.

Scoping based on DVMS also prevents redundant audits, reduces audit fatigue, and increases the likelihood that audit findings accurately reflect the organization’s ability to produce measurable, resilient, and trusted outcomes.

Using DVMS to Design More Effective Tests

Once the scope is established, internal auditors can use DVMS to develop more impactful tests. These tests should examine:

• whether governance intent is clear, current, and communicated
• whether operational capabilities can meet those expectations
• whether assurance evidence accurately reflects actual performance
• whether resilience practices can withstand stress or disruption

Testing moves away from “check-the-box” control verification toward evaluating the system’s ability to deliver outcomes. This shift is valuable for leaders, as it aligns audit reporting with board and regulatory expectations.

Enhancing Audit Reporting With DVMS

Ultimately, internal auditors can utilize DVMS principles to structure audit reporting in a manner that resonates with executives and boards. Findings should be categorized according to:

• governance intent gaps
• operational capability deficiencies
• assurance evidence weaknesses
• cultural or behavioral issues

This structure improves clarity, enhances board oversight, and drives more actionable remediation.

Conclusion

The DVMS provides internal auditors with a robust, modern framework for scoping and testing digital programs. By aligning audit methods to Governance Intent, Operational Capability, and Assurance Evidence, auditors can identify systemic weaknesses, validate real-world outcomes, and provide executives and boards with meaningful, evidence-based assurance. Instead of auditing controls in isolation, auditors using DVMS evaluate whether the entire system can deliver the value, resilience, and trust the organization promises. This makes internal audit not just a compliance checker, but a strategic enabler of digital success.

About the Author

Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute

Rick has 40+ years of passion and experience creating solutions to give organizations a competitive edge in their service markets. In 2015, Rick was identified as one of the top five IT Entrepreneurs in the State of Rhode Island by the TECH 10 awards for developing innovative training and mentoring solutions for boards, senior executives, and operational stakeholders.

DVMS Cyber Resilience Professional Accredited Certification Training

Governing, Assuring, and Accounting for Resilient Digital Value Outcomes In Complex, Fragmented Systems

Explainer Video – Paper vs. Living System Governed by Assurance

Despite abundant frameworks and dashboards, leaders still struggle to see how their digital value streams perform under real-world stress.

Intent, structure, and day-to-day behavior are examined in isolation, creating flat views that hide how decisions and human responses interact in a living digital system.

The result is governance that looks strong on paper but falters in practice, leaving leaders to juggle disconnected controls instead of actively strengthening the resilience of their digital value.

What’s needed is a framework-agnostic overlay system capable of governing, assuring, and accounting for digital value resilience across complex, fragmented systems.

Digital Value Management System® (DVMS)

An Overlay Management System to Govern, Assure, and Account for Resilient Digital Value Outcomes in Complex, Fragmented Systems

Explainer Video – What is a Digital Value Management System (DVMS)

The Digital Value Management System® (DVMS) training programs teach leadership, practitioners, and employees how to integrate fragmented frameworks and systems such as NISTCSF, GRC, ITSM, and AI into a unified, culture-driven governance and assurance system that accounts for the resilience of digital value within a living digital system.

At its core, the DVMS is a simple but powerful integration of:

• Governance Intent – shared expectations and accountabilities
• Operational Capabilities – how the digital business actually performs
• Assurance Evidence – proof that outcomes are achieved and accountable
• Cultural Learning – to continually fine-tune governance intent and operational capabilities

Underpinning this integration are three distinctive DVMS models

Create, Protect, and Deliver (CPD) – The CPD Model™ is a systems-based model within the DVMS that links strategy-risk and governance to execution in order to create, protect, and deliver digital business value as an integrated, continuously adaptive organizational capability.

3D Knowledge (3DK) – The 3DK Model™ is a systems-thinking framework that maps team knowledge over time (past, present, future), cross-team collaboration, and alignment to strategic intent to ensure that organizational behavior, learning, and execution remain integrated and adaptive in delivering digital business value.

Minimum Viable Capabilities (MVC) – The MVC™ model supports the seven essential, system-level organizational capabilities—Govern, Assure, Plan, Design, Change, Execute, and Innovate—required to reliably create, protect, and deliver digital business value in alignment with strategy-risk intent.

The integration of these models then enables three distinctive digital value management organizational capabilities:

A Governance Overlay that replaces fragmentation with unity. The DVMS provides organizations with a structured way to connect strategy with day-to-day execution. Leaders gain a consistent mechanism to direct, measure, and validate performance—across every system responsible for digital value.

A Behavioral Engine that drives high-trust, high-velocity decision-making. The DVMS embeds decision models and behavioral patterns that help teams think clearly and act confidently, even in uncertain situations. It is engineered to reduce friction, prevent blame-based cultures, and strengthen organizational reliability.

A Learning System that makes culture measurable, adaptable, and scalable. Culture becomes a managed asset—not an abstract concept. The DVMS provides a repeatable way to observe behavior, collect evidence, learn from outcomes, and evolve faster than threats, disruptions, or market shifts.

In summary, A DVMS enables organizations of any size, scale or complexity to:

• Govern through risk-informed decision-making
• Sustain digital value Resilience through a proactive and adaptive culture
• Measure Performance Assurance through evidence-based outcomes
• Ensure Accountability by making intent, execution, and evidence inseparable

The People and Culture That Power a DVMS

Explainer Video – The Human Engine of DVMS

Delivering the outcomes of a DVMS requires coordinated action across an enterprise’s strategy, governance, and operational layers.

Each of these business layers contains unique roles that, when aligned, enable organizations to ensure the resilience of their digital value across their complex and fragmented digital systems.

Together, these roles create an adaptive, risk-informed, and resilient culture capable of thriving in a complex and chaotic digital business environment. 

Scaling A DVMS Program – Where Do You Start?

Explainer Video – Scaling a DVMS Program

The DVMS FastTrack Model is a phased, iterative approach that helps organizations mature their Digital Value Management System over time, rather than trying to do everything simultaneously.

This approach breaks the DVMS journey into manageable phases of success. It all starts with selecting the first digital service you want to make resilient. Once that service has integrated DVMS at its boundaries, it becomes the blueprint to operationalize DVMS in the remaining digital services

The DVMS training provides an example of how to operationalize the NIST Cybersecurity Framework and ensure its digital value resilience across complex, fragmented systems.

DVMS Program Benefits

Explainer Video – DVMS Organization and Leadership Benefits

DVMS Organizational Benefits

Instead of replacing existing operational frameworks and their management systems, the DVMS elevates them—connecting and contextualizing their data into actionable intelligence that validates performance and exposes the reasons behind unmet outcomes.

By adopting a DVMS, organizations are positioned to:

• Maintain Operational Stability Amidst Constant Digital Disruption
• Deliver Digital Value and Trust Across A Digital Ecosystem
• Satisfy Critical Regulatory and Certification Requirements
• Leverage Cyber Resilience as a Competitive Advantage

DVMS Leadership Benefits

The Digital Value Management System (DVMS) provides leaders with a unified, evidence-based approach to governing and enhancing their digital enterprise, aligning with regulatory requirements and stakeholder expectations.

For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.

For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.

For the CIO, CRO, CISO, and Auditors: an integrated, adaptive, and culture-driven governance and assurance management system that enhances digital business performance, resilience, trust, and accountability.

The DVMS Certified Training Programs

Explainer Video – The DVMS Training Pathway to Operational Cyber Resilience

The DVMS Institute’s certification training programs and body-of-knowledge publications equip leaders, practitioners, and employees with the skills to govern operational cyber-resilience through an evidence-based system that assures and accounts for digital value outcomes.

Grounded in real-world governance challenges and aligned with NIST CSF 2.0, the DVMS Institute’s training programs teach organizations how to build measurable capability, transparent accountability, and defensible confidence in decision-making.

Through structured learning, applied certification, and authoritative publications, the Institute advances a disciplined, outcome-driven approach to managing digital risk, performance, and resilience as an integrated system.

DVMS Cyber Resilience Awareness Training

The DVMS Cyber Resilience Awareness course and its accompanying body of knowledge publication educate all employees on the fundamentals of digital business, its associated risks, the NIST Cybersecurity Framework, and their role within a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

This investment fosters a culture that is prepared to operate within a system capable of transforming systemic cyber risks into operational resilience.

DVMS NISTCSF Cyber Resilience Foundation Certification Training

The DVMS NISTCSF Cyber Resilience Foundation certification training course and its accompanying body of knowledge publications provide ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role in a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

This investment fosters IT, GRC, Cybersecurity, and Business professionals with the skills to operate within a system that transforms systemic cyber risks into operational resilience.

DVMS Cyber Resilience Practitioner Certification Training

The DVMS Practitioner certification training course and its accompanying body of knowledge publications teach ITSM, GRC, Cybersecurity, and Business practitioners how to elevate investments in ITSM, GRC, Cybersecurity, and AI business systems by integrating them into a unified governance, resilience, assurance, and accountability system designed to proactively identify and mitigate the cyber risks that could disrupt operations, erode resilience, or diminish client trust.

This investment fosters IT, GRC, Cybersecurity, and Business practitioners with the skills to assess, design, implement, operationalize, and continually innovate a Digital Value Management System® program that operationalizes a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

The Assurance Mandate White Paper Series

Explainer Video –  Why GRAA is the Next Evolution of GRC

The whitepapers below present a clear progression from compliance-driven thinking to a modern system of Governance, Resilience, Assurance, and Accountability (GRAA). Together, they define an evidence-based approach to building and governing resilient digital enterprises.

The Assurance Mandate Paper explains why traditional GRC artifacts offer reassurance, not proof, and challenges boards to demand evidence that value can be created, protected, and delivered under stress.

The Assurance in Action Paper shows how DVMS turns intent into execution by translating outcomes into Minimum Viable Capabilities, aligning frameworks through the Create–Protect–Deliver model, and producing measurable assurance evidence of real performance.

The Governing by Assurance Paper extends this model to policy and regulation, positioning DVMS as a learning overlay that links governance intent, operational capability, and auditable evidence—enabling outcome-based governance and proof of resilience through measurable performance data.

Company Brochures and Presentation

• DVMS Company Brochure
• DVMS Product Brochure
• DVMS Company Presentation

Explainer Videos

• DVMS Architecture Video: David Moskowitz explains the DVMS System
• DVMS Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
• DVMS Overlay Model – What is an Overlay Model
• DVMS MVC ZX Model – Powers the CPD
• DVMS CPD Model – Powers  DVMS Operations
• DVMS 3D Knowledge Model – Powers the DVMS Culture
• DVMS FastTrack Model – Enables A Phased DVMS Adoption

Digital Value Management System® is a registered trademark of the DVMS Institute LLC.

® DVMS Institute 2025 All Rights Reserved