Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit...
Transcript of Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit...
![Page 1: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/1.jpg)
![Page 2: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/2.jpg)
Strategies for
Deriving Maximum
Benefit From Audit
Allan Boardman
CyberAdvisor.London
![Page 3: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/3.jpg)
Agenda
Setting the scene
Why Audit often struggle working with Security and Risk
Spotlight on Audit
Spotlight on Security
Spotlight on Risk
Highlight specific conflict areas
Strategies for successful partnership
![Page 4: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/4.jpg)
About the presenter
Allan Boardman CISA, CISM, CGEIT, CRISC, CA(SA), ACA, CISSP
Independent Business Advisor – CyberAdvisor.London
Most recently Business Information Security Officer at GSK
Background in Audit, Risk, Security and Governance roles
Chair ISACA International Audit and Risk Committee, 2014/15 – currently a member
Chair ISACA International Credentialing Board & Career Management Board, 2011/14
Member ISACA International Board of Directors, 2011/14
Member ISACA International Strategy Advisory Council, 2011/14
ISACA International Vice President, 2012/14
Member ITGI Board of Trustees, 2012/14
Chair CISM Certification Committee 2009/11, member since 2006
Member ISACA CGEIT Certification Committee 2016/current
Member ISACA Leadership Development Committee 2010/11
London Chapter President 2004/06. Chapter Board member 1999/08
Paralympics and Olympics Volunteer – London 2012, Sochi 2014, Rio 2016
![Page 5: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/5.jpg)
Are you ready for this?
![Page 6: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/6.jpg)
Spotlight on Audit
Some common characteristics:
Enquiring
Searching
Probing
Analytical
Attention to detail
Determined
Persistent
Thorough
Question: What’s the difference between a Rottweiler and an auditor?
Answer: The Auditor eventually lets go!
![Page 7: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/7.jpg)
Business perception?
How do others view Audit?
![Page 8: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/8.jpg)
How does the business react
when Audit arrive?
![Page 9: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/9.jpg)
Actual business reaction??
![Page 10: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/10.jpg)
Run for the hills, the auditors
are coming!!
![Page 11: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/11.jpg)
It’s all about perception
![Page 12: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/12.jpg)
Spotlight on Security
Security’s dilemma:
Significantly increased threat landscape
Working with limited resources
Lack of skilled people resources
Pressure on costs
Increased level of incidents
Devote significant efforts on audit issues
Impact on BAU activities?
![Page 13: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/13.jpg)
Is Security guilty of overusing FUD?
![Page 14: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/14.jpg)
Does Security have an image problem?
![Page 15: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/15.jpg)
Are Security People a Bunch of Geeks?
![Page 16: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/16.jpg)
Spotlight on Risk
Alignment with Operational Risk
Owns the control framework and risk assessment methodology
Perception that Risk is looking ahead and Audit looking back
Potential overlaps with security
1st Line or 2nd Line?
Where does Compliance come into the picture?
![Page 17: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/17.jpg)
Three Lines of Defence Model
Framework helps understanding the role of internal audit in the overall risk management
and internal control process.
1st Line - - > Operational management controls
2nd Line - - > Monitoring controls
3rd Line - - > Independent assurance
![Page 18: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/18.jpg)
Specific areas that highlight
potential conflicts Tone at the top can drive undesirable behavior
Open communications?
Audit requirements, i.e. things done because Audit “say so”
Checkbox, i.e. things done just for Audit
Strict adherence to auditing against policies
Pre-audits or clean up exercises before audits
Continuous auditing. Being “close to the deal flow”
Feeling of being over-audited
Adverse audit points linked directly to staff pay awards
![Page 19: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/19.jpg)
So how do we move forward?
From this
From this
To this
To this
![Page 20: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/20.jpg)
Communication is key
![Page 21: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/21.jpg)
Strategies for successful partnership Respect business priorities
Establish credibility
Develop relationships at all levels
Get a “seat at the table”
Be well prepared and learn the business
Be empathetic and reasonable
Be prepared to be flexible
Audit findings must be practical and risk based
Look for opportunities to provide advice
Be a trusted but critical partner and advisor
Solicit feedback
Communicate, communicate, communicate!
Remember:
All supporting the same business objectives
Security and Risk also have a role to play
Overall
Align with management in such a way that organizational goals are jointly achieved
“Leave every place a little better than you found it”
![Page 22: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/22.jpg)
Word of caution: Don’t be a pushover
![Page 23: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/23.jpg)
How much do management
know about Audit
Ten ways to get the most from Internal Audit
![Page 24: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/24.jpg)
IT Audit Best Practices
2016
![Page 25: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/25.jpg)
Final Reminder
If Internal Audit was an option, i.e. not mandated, would your business choose to have it?
![Page 26: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/26.jpg)
Just a Reminder of the origins of
audit (over 800 years old!) Magna Carta signed at Runnemede, England 15 June 1215
![Page 27: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/27.jpg)
Final, final thought……
![Page 28: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/28.jpg)
Thank you
@allanboardman
www.linkedin.com/in/allanboardman
![Page 29: Strategies for Deriving Maximum - ISACA · 2017-10-27 · Strategies for Deriving Maximum Benefit From Audit Allan Boardman CyberAdvisor.London. ... Chapter Board member 1999/08 ...](https://reader031.fdocuments.net/reader031/viewer/2022022012/5b1d60c07f8b9acc488b5b99/html5/thumbnails/29.jpg)