Brainwave GRC - Continuous Audit and Controls at ISACA event
-
Upload
brainwave-grc -
Category
Software
-
view
77 -
download
6
Transcript of Brainwave GRC - Continuous Audit and Controls at ISACA event
2
Continuous Audit combined continuous evaluation of risks and controls on IT systems. Continuous audit allows the internal auditor to communicatehis analysis of the object under consideration far faster than in the traditionalretrospective approach.
Continuous Control process executed by management thatenables them to verify that controls are functioning effectively (MPA 2320-4 : Continuous assurance).
GTAG3, Institute of Internal Auditors
Continuous Audit & Control?
© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
Rapid adaptation to evolution of the enterprise:More interactions with partners and outside providers
Evolution of systems, consolidation, cloud adoption
More sharing of data
Evolution of work: employees, consultants, outsourced operations
Reduce the impact of risk
Efficiency (Automation)
3
Why put in place continuous audit and controls?
© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
Proactive vs Reactive
Add value to Line of Business
You?
Data silos
Data volume to manage
Complexity of controls
Identify best solutions
Financial and operational support from IT and Line of Business
What are the hurdles?
4
Hurdles to deploying continuous audit and controls –Technology
© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
Computing power
Progress of analytics
Reliability and traceability
Productivity (automation)
Availability
Capabilities of technology
5
The following is based on real deployment cases with clients Details have been anonymized
What approach to adopt?
© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
Step 1 Step 2 Step 3 Step 4 Step 5
Exhaustive controls on
existing perimeter
Add new controlsand extendperimeter
Implement more sophisticated
controls
Controls on business processes
Behavioralanalytics
6
Internal Audit– Preparation I take a sample
Get results
Remediate
External Audit – Big day New sample
Unpleasant surprise !
In-depth control (SoX), select more data and askdetailed questions of IT, internal audit…
Motivation 1
© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
1
Reducesurprises !
7
1Calendar
Audit launched in February, results in August, corrections in September
In between, no visibility
Organization and risks change rapidly Reorganization / Acquisition / Sale
New systems, partners
New risks, new regulations
Motivation 2
© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
Be more proactive
8
1 I manage valuable data for my clients
Very competitive and sensitive sector
New client > new applications > new controls
Explosive growth in cost of implementing a new control
This is unsustainable, I do not want to be a permanent roadblock to business!
Motivation 3
© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
Enable business
9
Step 1 : Exhaustive controls on existing perimeter
© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
Define audit frequency
Automate collection process
Resume data extracts
Sample -> Comprehensive controls
1 2 3 4 5 1. Exhaustive controls on existing perimeter
11
No more surprises : I have control over everyone
© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
1 2 3 4 5 1. Exhaustive controls on existing perimeter
12
I have the answers to questions from my auditor
© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
1 2 3 4 5 1. Exhaustive controls on existing perimeter
13
Complete view of access to applications
© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
Individualsand entities
Applications & permissions
1 2 3 4 5 1. Exhaustive controls on existing perimeter
14
Step 2 : Add new controls and extend the perimeter
© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
The right automation solutions allows the addition of new controls withminimal effort & no coding
Agile construction of control and rule matrix
1 2 3 4 5 2. Add new controls and extend the perimeter
Add new controls
15© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
1 2 3 4 5 2. Add new controls and extend the perimeter
16
Visualization of data access
© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
Individualsand entities
Shared folders and type of access
1 2 3 4 5 2. Add new controls and extend the perimeter
17
Step 3 : Implement more sophisticated controls
© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
Sophisticated control: FRAUD
SoD + multiple operational steps across several applications
Based on a fraud scenario
Object : Trader on mandatory vacation must not access trading platform
Data : vacation/time-tracking application (HR), physical accesscontrol system (badge swipe), trading platform
Results : List of suspects sent to manager in charge of control for investigation
1500 controls
450 applications
2 times/ week
1 2 3 4 5 3. Implement more sophisticated controls
18
Residual access in real life, situation that must betemporary
© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
1 2 3 4 5 3. Implement more sophisticated controls
Sophisticated controls : INTERNAL MOBILITY
Manufacturing client
Temporary exception on SoD matrix: internal transfer
Track deviations with a custom tolerance threshhold(x%)
Alert temporarily suppressed (x days)
1 million identities
65 million testedpermissions
19
Pareto : identify priorities for remediation
© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
Resolving conflicts on these 6 SoD rules wouldeliminate 80% of problems.
1 2 3 4 5 3. Implement more sophisticated controls
20
Step 4 : Business process controls
© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
Add financial dimension to IT risks
Additional level of confort for internal & external auditors
SoD on complete business processes
1 2 3 4 5 4. Business process controls
21© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
End-to-end view of fraud risk in the « Purchase to Pay » process
Detect intra application fraudsDetect inter application frauds
Model segregation of duties conflicts1 2 3 4 5 4. Business process controls
22© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
Allocation of potential fraud risks by business process Impact of proven fraud by business process
Valuation of fraud risks on business processes1 2 3 4 5 4. Business process controls
23
Details of dangerous transactions
© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
Why did an ASSISTANT performthese dangerous
transactions ?
1 2 3 4 5 4. Business process controls
24
Detect unknown risksStep 5: Behavioral Analytics
© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
Individuals with abnormal behavior
Accessed files abnormally high for
an IT consultant
1 2 3 4 5 5. Behavioral analytics
25
Benefits
© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
Before
After
Internal Audit
Data collection &processing
Analysis of results
Remediation
Before
After
Line of Business/application manager
Time to perform reviews
Time to monitor reviews
Before
After
IT
Data collection
Response to auditors
Corrections
Better relations between business, IT, internal audit, & external audit
Gain in productivity across the organisation
Increased value add
26
Share !
© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved
Internal Audit
IT Security
Operational Risk
Application owners
Line of Business
External Auditors
Value added by analytics across the organisationDeliver value
30 to 90 days of effort to productionSpeed
Autonomy to create controls and analyse resultsFlexibility / Agility
Share results and benefits with: More confidence and comfort
More value across the organisation
More operational and financial support
ContactsEmmanuel Sol
C: +1 514 647 6574
Eric In
D: +1 437 836 3621C: +1 647 544 [email protected]
© Brainwave GRC – Proprietary and Confidential Information – All Rights Reserved 27
Graeme Hein
C: +1 416 795 [email protected]