Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Similar documents
ISACA Cincinnati Chapter March Meeting

Security and Privacy Governance Program Guidelines

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

SOC for cybersecurity

BRING EXPERT TRAINING TO YOUR WORKPLACE.

IT Attestation in the Cloud Era

A Global Look at IT Audit Best Practices

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

POSITION DESCRIPTION

Rethinking Information Security Risk Management CRM002

Les joies et les peines de la transformation numérique

COBIT 5 With COSO 2013

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

CYBERSECURITY HOW IT IS TRANSFORMING THE IT ASSURANCE FIELD

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

ISACA. Certification Details for Certified in the Governance of Enterprise IT (CGEIT )

The Role of Public Sector Audit and Risk Committees in Cybersecurity & Digital Transformation. ISACA All Rights Reserved.

Turning Risk into Advantage

Symantec Data Center Transformation

The Experience of Generali Group in Implementing COBIT 5. Marco Salvato, CISA, CISM, CGEIT, CRISC Andrea Pontoni, CISA

Transitioning from SAS 70 to SSAE 16

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

Cyber Security Incident Response Fighting Fire with Fire

THE POWER OF TECH-SAVVY BOARDS:

The Fine Art of Creating A Transformational Cyber Security Strategy

ISACA International Perspective

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Risk Based IT Auditing Master Class. Unlocking your World to a Sea of Opportunities

Position Description IT Auditor

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

BHConsulting. Your trusted cybersecurity partner

GDPR: A QUICK OVERVIEW

building for my Future 2013 Certification

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

IS Audit and Assurance Guideline 2002 Organisational Independence

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Introduction to ISO/IEC 27001:2005

IT Audit Process. Prof. Mike Romeu. January 30, IT Audit Process. Prof. Mike Romeu

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

NCSF Foundation Certification

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Focus on Cyber Security Compliance to Operationalise the Risk Program. Hans Henrik Berthing Aalborg University

ISO 27001:2013 certification

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Build confidence in the cloud Best practice frameworks for cloud security

COURSE BROCHURE. COBIT5 FOUNDATION Training & Certification

Cybersecurity in Asia-Pacific State of play, key issues for trade and e-commerce

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

CISM Certified Information Security Manager

ROI for Your Enterprise Through ISACA A global IS association helping members achieve organisational success.

STRATEGIC PLAN

Achieving effective risk management and continuous compliance with Deloitte and SAP

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

ROLE DESCRIPTION IT SPECIALIST

ITU CBS. Digital Security Capacity Building: Role of the University GLOBAL ICT CAPACITY BUILDING SYMPOSIUM SANTO DOMINGO 2018

BECOME TOMORROW S LEADER, TODAY. SEE WHAT S NEXT, NOW

Angela McKay Director, Government Security Policy and Strategy Microsoft

BHConsulting. Your trusted cybersecurity partner

Making trust evident Reporting on controls at Service Organizations

Exploring Emerging Cyber Attest Requirements

POSITION DESCRIPTION

Building a Resilient Security Posture for Effective Breach Prevention

Implementing ITIL v3 Service Lifecycle

13.f Toronto Catholic District School Board's IT Strategic Review - Draft Executive Summary (Refer 8b)

IT risks and controls

ISO/ IEC (ITSM) Certification Roadmap

Integrating ITIL and COBIT 5 to optimize IT Process and service delivery. Johan Muliadi Kerta

CCISO Blueprint v1. EC-Council

Application for Certification

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

IT Strategic Planning: Making Your IT Organization Efficient and Effective

State Governments at Risk: State CIOs and Cybersecurity. CSG Cybersecurity and Privacy Policy Academy November 2, 2017

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

MNsure Privacy Program Strategic Plan FY

A Framework for Managing Crime and Fraud

GDPR Update and ENISA guidelines

Professional Services for Cloud Management Solutions

HITRUST CSF: One Framework

Swedish bank overcomes regulatory hurdles and embraces the cloud to foster innovation

SOC 3 for Security and Availability

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

2017 PORT SECURITY SEMINAR & EXPO. ISACA/CISM Information Security Management Training for Security Directors/Managers

CSF to Support SOC 2 Repor(ng

Cybersecurity. Securely enabling transformation and change

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Invest in. ISACA-certified professionals, see the. rewards.

Evolution of IT in the Finance Industry. Europe

falanx Cyber ISO 27001: How and why your organisation should get certified

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

Transcription:

Aalborg Universitet Vision for IT Audit 2020 Berthing, Hans Henrik Aabenhus Publication date: 2014 Document Version Early version, also known as pre-print Link to publication from Aalborg University Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit 2020. Abstract from Nordic ISACA Conference 2014, Oslo, Norway. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.? Users may download and print one copy of any publication from the public portal for the purpose of private study or research.? You may not further distribute the material or use it for any profit-making activity or commercial gain? You may freely distribute the URL identifying the publication in the public portal? Take down policy If you believe that this document breaches copyright please contact us at vbn@aub.aau.dk providing details, and we will remove access to the work immediately and investigate your claim. Downloaded from vbn.aau.dk on: december 21, 2018

Vision for IT Audit 2020 Partner Hans Henrik Berthing, Statsautoriseret Revisor, CIA, CGEIT, CRISC, CISA

Agenda Challenges for IT Auditors today Cloud Governance Third party reporting ISAE 3402/3000 Cybersecurity Talent management Knowledge and research COBIT 5 and COBIT 5 Online 2

Hans Henrik Berthing Married with Louise and dad for Dagmar and Johannes CPA, CRISC, CGEIT, CISA and CIA ISO 9000 Lead Auditor Partner and owner for Verifica Financial Audit, since 1994 and IT Assurance since 1996 Member of FSR IT Advisory Board ISACA IT Assurance Task Force Cobit 5 Online Beta tester Instructor, facilitator and speaker Senior Advisor & Associated professor Aalborg University (Auditing, Risk & Compliance) 3

Challenges facing IT auditors today Resource (i.e., budget, staff) Issues Technology, Tools & Aids Auditee/Organizational Issues IT Compliance 4

Resource (i.e., budget, staff) Issues Attracting right talent /Availability of experienced auditors Professional development and study of new technologies and techniques Invited to the table strategic and tactical directions. Developing the soft skill-set expected of all auditors. Education of IT auditors Gap between IT skills and auditing skills Have the necessary budgets to carry out the function Better salaries and career development in the operation areas. Lack of technical knowledge Low interest at educational institutions (Universities) Multiple IT standards -> more budget/manpower/time Audit Report which has industry specific business language Staying current with rules and regulations Understanding business strategies (non-technical) 5

Technology, Tools & Aids Issues IT Audit frequency + scope aligned with frequent technology update changes. Effective risk assessment / Scoping relevant systems Heavy adoption of IT by Organizations resulting in Multiple applications Ability to align scope and results with business strategy and risks Clarifying how business risk can be better mitigated with IT controls Addressing the risks associated with Cloud computing technology Keeping on top of regulations by industry Add a new level of innovation to review processes Audit standardization / Automated controls testing/ Availability of audit tools Controls Identification and its Testing Existence of technological continuity plans to ensure business continuity. Having a good mix of audit and security tools Defining observation major, minor or level of risk identified Legacy differentiation between Data Privacy and Information Security Use of third party providers 6

Auditee/Organizational Issues Business Acceptance/Having support of senior management Growing number of persons who rely on the opinion of auditors IT audit is perceived to add less value at Strategic and Governance levels. Lack of credibility by the auditee to the work of the auditor Little documentation of the work performed by the audited Proving business value in audit as to just compliance Delay on delivery of Information by the auditee Difficult acceptance of the observations made by audited areas Educating on the importance of IT procedures in relation to the overall audit Gap between the Financial Reporting and the IT auditors Having a hierarchical level within the organization that allows direct access to senior levels Increased complexity of the organizational environment Cost cutting leading to non-prioritization of Infosec issues mitigation Inexperience of client with their own technology 7

IT Compliance IT-compliance-related effort expected to increase without significant changes to staff count IT compliance budgets are estimated to increase (7-10% of IT budget to compliance) Internal IT audit teams spend an estimated 17.5% of their time on IT compliance and privacy each, 20% each on information security and IT risk management, respectively, and about 15% on business continuity management 8

Current state -> Plan 2020 Cloud Computing Service organisation Cybersecurity Talent management Knowledge and research COBIT 5 Online 9

Cloud computing Business Benefits of Cloud Computing Cloud strategies make the enterprise more efficient and agile. Cloud computing allows delivered services to be more innovative and more competitive. Cloud computing reduces overall operating costs. How confident can boards be that management plans will achieve these benefits? Source: CLOUD GOVERNANCE: Questions Boards of Directors Need to Ask, 2013, ISACA 10

Value of Cloud Computing Shifting funding of IT from large capital investments (legacy IT assets) to operational expenses. Reallocating IT resources to core business activities. Easier and cheaper applications to implement, use and support. Increasing scalability and flexibility, enhancing the ability to respond to changing market conditions. Fostering innovation by shifting effort and resources from implementation projects to final product development. Source: CLOUD GOVERNANCE: Questions Boards of Directors Need to Ask, 2013, ISACA 11

Governance Questions About Cloud 1. Do management teams have a plan for cloud computing? Have they weighed value and opportunity costs? 2. How do current cloud plans support the enterprise s mission? 3. Have executive teams systematically evaluated organizational readiness? 4. Have management teams considered what existing investments might be lost in their cloud planning? 5. Do management teams have strategies to measure and track the value of cloud return vs. risk? Source: CLOUD GOVERNANCE: Questions Boards of Directors Need to Ask, 2013, ISACA 12

Cloud Decisions Source: Cloud Computing Market Maturity Study Results, 2012, ISACA & CSA 13

Cloud computing plan? (n=914) Source: IT Risk/Reward Barometer: Europe, 2012, ISACA (n=980) 14

Risks and Security Concerns With Cloud Computing Reputation, history and sustainability of the provider Failure to perform to agreed-upon service levels Where information actually resides Third-party access to sensitive information Compliance to regulations and laws in different geographic regions (Public Clouds) Information may not be immediately located 15 Source: Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, 2009, ISACA

Assurance Considerations Transparency Privacy Compliance Trans-border information flow Certification Source: Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, 2009, ISACA 16

Cloud Market Maturity 2,73 years 3,02 years 3,74 years Source: Cloud Computing Market Maturity Study Results, 2012, ISACA & CSA 17

Groups Driving Cloud Innovation Source: Cloud Computing Market Maturity Study Results, 2012, ISACA & CSA 18

Cloud Support for Business Goals Source: Cloud Computing Market Maturity Study Results, 2012, ISACA & CSA 19

Service audit reports Many business events have altered the landscape since the issuance of Service Audit Reports Increased outsourcing including usage of shared service centers Continued globalization and global processing models Increased regulation and enhanced risk management requiring service organization customers to obtain controls comfort related to outsourced activities impacting their financial statements, regulatory requirements and overall business risk management Other territories have steadily sought to adopt their own service Absence of a global standard(s) complicates engagements that cross borders Potential to take advantage of differing provisions within various third party control standards 20

Perspective of the User Entity Regulatory requirement The board of directors focusing on corporate governance, Design and implementation of internal control over financial reporting have become key responsibilities for management. Trend for strong internal control Continuing trend to outsource functions that may be significant to an organization s operations. Enterprises transferred performance of many of their key controls to third-party service organizations. Controls can be outsourced but management s responsibility for maintaining an effective system of internal control cannot be outsourced. 21

Complementary user entity controls An ISAE 3402/3000 audit report identifies the controls designed to achieve the control objectives, including potential controls that the service organization intends for the user entity to implement (referred to as complementary user entity controls ). While the specified controls should address the risks that threaten the achievement of the control objective for most user entities, individual user entity needs may vary. As a result, user entities should consider the risks that would threaten the achievement of the control objectives from the perspective of the user entities and consider whether the controls identified adequately address those risks. If the user entity believes that any risks are not addressed by the service organization s controls, the user entity should discuss those risks with the service organization. 22

Service organization responsibilities Service organizations have five primary responsibilities: 1. Prepare and present a complete an accurate description of the system 2. Specify the control objectives of the system and state those control objectives in the description of the system 3. Identify the risks that threaten the achievement of the control objectives (although these risks are not included in the service organization report) 4. Design, implement and maintain controls to provide reasonable assurance that the control objectives will be achieved 5. Provide a written assertion to accompany the description as to the completeness and accuracy of the information provided and state the criteria used as a basis for making the assertion 23

Subservice organizations A subservicer is a service organization used by another service organization Carve-out or inclusive methods are available for dealing with services provided by subservice organizations in the report. Identify all subservice organizations that affect user entities financial statements. Does subservice organizations have existing service organization reports or would be willing to provide one to your customers. (Cheaper and easier to provide your customers with a copy and limit your report to only your processes). Discuss reporting strategy with subservice organization. Assistance and cooperation with the subservice organization Obtain agreement with your subservice organization regarding strategy, and get this agreement in writing. If you are a subservice organization, discuss with the primary service organization how the needs of their clients will be met. 24

Privacy ISAE 3000 Compliance with data protection act Databehandleraftale Third party reporting ISAE 3000 ISO 27001 or ISO 27002 Type 2 Description of controls and IT auditors test of controls Period covered Subservice organisation Complimentary Controls 25

Cybersecurity Cybercrimes and violations are growing exponentially Organizations suffer a sort of inertia in having a pro-active policy of cyber audits and other such initiatives. Lack of reporting and sharing cyber incidents and their after effects with the community Audits will make organizations aware and pro-active in cyber security. COBIT 5 for Cybersecurity 26

Talent management Certifications Improve and marketing CISA Advanced-level IT Audit Foundation Courses Leadership in IT Audit Focus for senior IT professionals. Audit Ethics Effective Report Writing Soft skills Financial Foundation Career path for IT Auditor 27

Knowledge and Research Common IT findings/compensating controls. Practical guidance on ISAE3402/3000. Guidance on generic application controls Emerging technologies Using COBIT 5 Audit Handbook for beginners 28

COBIT 5 COBIT 5 Online 1. Increase awareness of COBIT 5 across a broader audience of stakeholders who are responsible and accountable for the success of IT-enabled investments. 2. Increase the perceived relevance of COBIT 5 as a business framework for ensuring the success of IT-enabled investments, from inception through to adoption, management and governance. 3. Increase the utility of COBIT 5 by making it easier for users to understand, customize, socialize and deploy; and to help facilitate greater adoption of COBIT 5 among enterprise stakeholders. 29

Summary IT Auditors have lots of challenging Resources Knowledge Career management Risk mitigation/management Cloud Computing Third party reporting Soft skills COBIT 5 Online a nice tool for the IT Auditor 30

Questions Hans Henrik Berthing, Statsautoriseret revisor CGEIT CRISC CISA CIA Phone +45 35 36 33 56 Mobile +45 22 20 28 21 E-mail hhberthing@verifica.dk Verifica Statsautoriseret Revisionsvirksomhed 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback