Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London
Agenda Setting the scene Why Audit often struggle working with Security and Risk Spotlight on Audit Spotlight on Security Spotlight on Risk Highlight specific conflict areas Strategies for successful partnership
About the presenter Allan Boardman CISA, CISM, CGEIT, CRISC, CA(SA), ACA, CISSP Independent Business Advisor CyberAdvisor.London Most recently Business Information Security Officer at GSK Background in Audit, Risk, Security and Governance roles Chair ISACA International Audit and Risk Committee, 2014/15 currently a member Chair ISACA International Credentialing Board & Career Management Board, 2011/14 Member ISACA International Board of Directors, 2011/14 Member ISACA International Strategy Advisory Council, 2011/14 ISACA International Vice President, 2012/14 Member ITGI Board of Trustees, 2012/14 Chair CISM Certification Committee 2009/11, member since 2006 Member ISACA CGEIT Certification Committee 2016/current Member ISACA Leadership Development Committee 2010/11 London Chapter President 2004/06. Chapter Board member 1999/08 Paralympics and Olympics Volunteer London 2012, Sochi 2014, Rio 2016
Are you ready for this?
Spotlight on Audit Some common characteristics: Enquiring Searching Probing Analytical Attention to detail Determined Persistent Thorough Question: What s the difference between a Rottweiler and an auditor? Answer: The Auditor eventually lets go!
Business perception? How do others view Audit?
How does the business react when Audit arrive?
Actual business reaction??
Run for the hills, the auditors are coming!!
It s all about perception
Spotlight on Security Security s dilemma: Significantly increased threat landscape Working with limited resources Lack of skilled people resources Pressure on costs Increased level of incidents Devote significant efforts on audit issues Impact on BAU activities?
Is Security guilty of overusing FUD?
Does Security have an image problem?
Are Security People a Bunch of Geeks?
Spotlight on Risk Alignment with Operational Risk Owns the control framework and risk assessment methodology Perception that Risk is looking ahead and Audit looking back Potential overlaps with security 1 st Line or 2 nd Line? Where does Compliance come into the picture?
Three Lines of Defence Model Framework helps understanding the role of internal audit in the overall risk management and internal control process. 1 st Line - - > Operational management controls 2 nd Line - - > Monitoring controls 3 rd Line - - > Independent assurance
Specific areas that highlight potential conflicts Tone at the top can drive undesirable behavior Open communications? Audit requirements, i.e. things done because Audit say so Checkbox, i.e. things done just for Audit Strict adherence to auditing against policies Pre-audits or clean up exercises before audits Continuous auditing. Being close to the deal flow Feeling of being over-audited Adverse audit points linked directly to staff pay awards
So how do we move forward? From this To this From this To this
Communication is key
Strategies for successful partnership Respect business priorities Establish credibility Develop relationships at all levels Get a seat at the table Be well prepared and learn the business Be empathetic and reasonable Be prepared to be flexible Audit findings must be practical and risk based Look for opportunities to provide advice Be a trusted but critical partner and advisor Solicit feedback Communicate, communicate, communicate! Remember: All supporting the same business objectives Security and Risk also have a role to play Overall Align with management in such a way that organizational goals are jointly achieved Leave every place a little better than you found it
Word of caution: Don t be a pushover
How much do management know about Audit Ten ways to get the most from Internal Audit
IT Audit Best Practices 2016
Final Reminder If Internal Audit was an option, i.e. not mandated, would your business choose to have it?
Just a Reminder of the origins of audit (over 800 years old!) Magna Carta signed at Runnemede, England 15 June 1215
Final, final thought
Thank you info@cyberadvisor.london @allanboardman www.linkedin.com/in/allanboardman