Strategies for Deriving Maximum Benefit From Audit. Allan Boardman CyberAdvisor.London

Transcription

1

2 Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London

3 Agenda Setting the scene Why Audit often struggle working with Security and Risk Spotlight on Audit Spotlight on Security Spotlight on Risk Highlight specific conflict areas Strategies for successful partnership

4 About the presenter Allan Boardman CISA, CISM, CGEIT, CRISC, CA(SA), ACA, CISSP Independent Business Advisor CyberAdvisor.London Most recently Business Information Security Officer at GSK Background in Audit, Risk, Security and Governance roles Chair ISACA International Audit and Risk Committee, 2014/15 currently a member Chair ISACA International Credentialing Board & Career Management Board, 2011/14 Member ISACA International Board of Directors, 2011/14 Member ISACA International Strategy Advisory Council, 2011/14 ISACA International Vice President, 2012/14 Member ITGI Board of Trustees, 2012/14 Chair CISM Certification Committee 2009/11, member since 2006 Member ISACA CGEIT Certification Committee 2016/current Member ISACA Leadership Development Committee 2010/11 London Chapter President 2004/06. Chapter Board member 1999/08 Paralympics and Olympics Volunteer London 2012, Sochi 2014, Rio 2016

5 Are you ready for this?

6 Spotlight on Audit Some common characteristics: Enquiring Searching Probing Analytical Attention to detail Determined Persistent Thorough Question: What s the difference between a Rottweiler and an auditor? Answer: The Auditor eventually lets go!

7 Business perception? How do others view Audit?

8 How does the business react when Audit arrive?

9 Actual business reaction??

10 Run for the hills, the auditors are coming!!

11 It s all about perception

12 Spotlight on Security Security s dilemma: Significantly increased threat landscape Working with limited resources Lack of skilled people resources Pressure on costs Increased level of incidents Devote significant efforts on audit issues Impact on BAU activities?

13 Is Security guilty of overusing FUD?

14 Does Security have an image problem?

15 Are Security People a Bunch of Geeks?

16 Spotlight on Risk Alignment with Operational Risk Owns the control framework and risk assessment methodology Perception that Risk is looking ahead and Audit looking back Potential overlaps with security 1 st Line or 2 nd Line? Where does Compliance come into the picture?

17 Three Lines of Defence Model Framework helps understanding the role of internal audit in the overall risk management and internal control process. 1 st Line - - > Operational management controls 2 nd Line - - > Monitoring controls 3 rd Line - - > Independent assurance

18 Specific areas that highlight potential conflicts Tone at the top can drive undesirable behavior Open communications? Audit requirements, i.e. things done because Audit say so Checkbox, i.e. things done just for Audit Strict adherence to auditing against policies Pre-audits or clean up exercises before audits Continuous auditing. Being close to the deal flow Feeling of being over-audited Adverse audit points linked directly to staff pay awards

19 So how do we move forward? From this To this From this To this

20 Communication is key

21 Strategies for successful partnership Respect business priorities Establish credibility Develop relationships at all levels Get a seat at the table Be well prepared and learn the business Be empathetic and reasonable Be prepared to be flexible Audit findings must be practical and risk based Look for opportunities to provide advice Be a trusted but critical partner and advisor Solicit feedback Communicate, communicate, communicate! Remember: All supporting the same business objectives Security and Risk also have a role to play Overall Align with management in such a way that organizational goals are jointly achieved Leave every place a little better than you found it

22 Word of caution: Don t be a pushover

23 How much do management know about Audit Ten ways to get the most from Internal Audit

24 IT Audit Best Practices 2016

25 Final Reminder If Internal Audit was an option, i.e. not mandated, would your business choose to have it?

26 Just a Reminder of the origins of audit (over 800 years old!) Magna Carta signed at Runnemede, England 15 June 1215

27 Final, final thought

28 Thank

29