The Role of Public Sector Audit and Risk Committees in Cybersecurity & Digital Transformation
Tichaona Zororo CIA, CISA, CISM, CRISC, CRMA, CGEIT, COBIT 5 Certified Assessor B.Sc. Honours Information Systems, PGD Computer Auditing Accredited COBIT 5 & Certifications Trainer
Emerging & Merging Technologies - The 4 th Industrial Revolution
Internet of Threats Artificial Intelligence Predictive Analytics Social Media Mobility Cloud Computing Blockchain Drones & Robotics DevOps Augmented Reality Cybersecurity Smart Cities
2017 Internet Users 3.78 Billion 2018 Global Internet Users 4.021 Billion 2018 Global Active Mobile Social Users 2.958 Billion 218 Million Unique Mobile Users increase from 2017 to 2018 2018 Active Social Media Users 3.196 Billion 2017 Active Social Media Users 2.789 Billion 2018 Unique Mobile Users 5.135 Billion
28.66 Million South Africans are active Internet Users. 1.8 Million Increase from 2016 15 Million South Africans are active Social Media Users. 2 Million Increase from 2016 There are 79.91 Mobile Subscriptions in South Africa out of 55.21 South Africans
2018 South Africa Unique Mobile Devices 38 Million 2016 Active Social Media Users in South Africa 18 Million 2018 South Africa Internet Users - 30.81 Million 2018 Active Mobile Social Users 16 Million 2018 Monthly Active Facebook users in South Africa 18 Million
Perpetual development and improvement model Central to a company s ability to test new digital business capabilities and bring them to market rapidly Integration of product development with IT operations Moving code to production every 12 sections DevOps Improved IT operations, improve business efficiency to meet market demands IT operations staffers work closely to test and launch new software features quickly - Breaking traditional barriers Teams would no longer have to wait for signoffs, handoffs, and preparation of test environments when writing code. Those tasks would be managed within the team, with immediate input from development and operations specialists.
Stakeholders Development Operations DevOps Quality Assurance Security
Stakeholders The Business benefits of DevOps: Reduced time to market Faster return on investment High performance Amazon, Google Increased quality Customer satisfaction Reduced IT waste Improved supplier and business partner performance Human errors
Stakeholders Risks Conflicting roles leading to loss of segregation of duties and authentication Release rates faster than business established business metrics Non compliance with some regulations e.g., PCI DSS, HIPAA, Shadow adoption Lack of skills Resistance Traditional assurance providers
King IV TM on Digital Transformation Governance & Cybersecurity
Governing Body Responsibilities Strategy Policy Oversight Accountability 17 Principles & 214 Recommended Practices Governing Body Responsibilities Ethical Culture Good Performance Effective Control Legitimacy
Governance and Cybersecurity of Information and Technology has become critical issues Technology is no longer simply an enabler, the system created by an enterprise provide the platform to deliver its strategic (integrated development plan) and performance (service delivery and budget implementation plan) objectives Information and technology is now the source of many enterprise s future opportunities and potential disruption - Risk and Opportunity are increasingly two sides of the same coin Information and Technology Governance and Cybersecurity should become a recurring item on Audit and Risk Committees agenda
Principle Number 12: The governing body should governance technology and information in a way that supports the organisation setting and achieving its strategic objectives.
8 Practices
Exercise ongoing oversight of information & technology management Assume responsibility for the governance of information and technology Exercise ongoing oversight of the management of information Delegate to Management the responsibility to implement and execute effective information and technology management
Assume responsibility for the governance of information and technology by setting the direction for how information and technology should be approached and addressed in the organisation Related disclosures Consider the need to receive periodic independent assurance on the effectiveness of the organisation s information and technology arrangements including outsourced services Exercise ongoing oversight of the management of technology
King III on IT Governance 9 Chapters and 75 Principles
Chapter 2 Boards & Directors 27 Principles Chapter 3 Audit Committees 10 Principles Chapter 4 The Governance of Risk 10 Principles Chapter 1 Ethical Leadership & Corporate Citizenship 3 Principles Chapter 9 Integrated Reporting & Disclosure 3 Principles Chapter 8 Governing Stakeholder Relationships 6 Principles Chapter 5 The Governance of Enterprise IT 7 Principles Chapter 6 Compliance with Laws, Rules, Codes and Standards 4 Principles Chapter 7 Internal Audit 5 Principles
Principle 5.4: The board should monitor and evaluate significant IT investments and expenditure Principle 5.1: The board should be responsible for information technology (IT) governance Principle 5.5: IT should form an integral part of the company s risk management Principle 5.2: IT should be aligned with the performance and sustainability objectives of the company Principle 5.3: The board should delegate to management the responsibility for the implementation of an IT governance framework The Governance of Enterprise IT Principle 5.7: Principle 5.6: The board should ensure that information assets are managed effectively A risk committee and audit committee should assist the board in carrying out its IT responsibilities
The 10 Core Principles for the Professional Practice of Internal Auditing
Is objective and free from undue influence (independent) Demonstrates quality and continuous improvement Demonstrates integrity Demonstrates competence and due professional care Is appropriately positioned and adequately resourced
Promotes organisational improvement Provides riskbased assurance Aligns with the strategies, objectives, and risks of the organisation Is insightful, proactive, and future-focused Communicates effectively
Cultural Shift
Questions
+27 (0) 11 234 2597 tichaona.zororo Tichaona Zororo tichaonazororo Tichaona Zororo tichaona.zororo@egit.co.za @TichaonaZororo Tichaona Zororo +27 (0) 73 298 9606 EGIT Enterprise Governance of IT (Pty) Ltd
Thank you