Strategies for
Deriving Maximum
Benefit From Audit
Allan Boardman
CyberAdvisor.London
Agenda
Setting the scene
Why Audit often struggle working with Security and Risk
Spotlight on Audit
Spotlight on Security
Spotlight on Risk
Highlight specific conflict areas
Strategies for successful partnership
About the presenter
Allan Boardman CISA, CISM, CGEIT, CRISC, CA(SA), ACA, CISSP
Independent Business Advisor – CyberAdvisor.London
Most recently Business Information Security Officer at GSK
Background in Audit, Risk, Security and Governance roles
Chair ISACA International Audit and Risk Committee, 2014/15 – currently a member
Chair ISACA International Credentialing Board & Career Management Board, 2011/14
Member ISACA International Board of Directors, 2011/14
Member ISACA International Strategy Advisory Council, 2011/14
ISACA International Vice President, 2012/14
Member ITGI Board of Trustees, 2012/14
Chair CISM Certification Committee 2009/11, member since 2006
Member ISACA CGEIT Certification Committee 2016/current
Member ISACA Leadership Development Committee 2010/11
London Chapter President 2004/06. Chapter Board member 1999/08
Paralympics and Olympics Volunteer – London 2012, Sochi 2014, Rio 2016
Are you ready for this?
Spotlight on Audit
Some common characteristics:
Enquiring
Searching
Probing
Analytical
Attention to detail
Determined
Persistent
Thorough
Question: What’s the difference between a Rottweiler and an auditor?
Answer: The Auditor eventually lets go!
Business perception?
How do others view Audit?
How does the business react
when Audit arrive?
Actual business reaction??
Run for the hills, the auditors
are coming!!
It’s all about perception
Spotlight on Security
Security’s dilemma:
Significantly increased threat landscape
Working with limited resources
Lack of skilled people resources
Pressure on costs
Increased level of incidents
Devote significant efforts on audit issues
Impact on BAU activities?
Is Security guilty of overusing FUD?
Does Security have an image problem?
Are Security People a Bunch of Geeks?
Spotlight on Risk
Alignment with Operational Risk
Owns the control framework and risk assessment methodology
Perception that Risk is looking ahead and Audit looking back
Potential overlaps with security
1st Line or 2nd Line?
Where does Compliance come into the picture?
Three Lines of Defence Model
Framework helps understanding the role of internal audit in the overall risk management
and internal control process.
1st Line - - > Operational management controls
2nd Line - - > Monitoring controls
3rd Line - - > Independent assurance
Specific areas that highlight
potential conflicts Tone at the top can drive undesirable behavior
Open communications?
Audit requirements, i.e. things done because Audit “say so”
Checkbox, i.e. things done just for Audit
Strict adherence to auditing against policies
Pre-audits or clean up exercises before audits
Continuous auditing. Being “close to the deal flow”
Feeling of being over-audited
Adverse audit points linked directly to staff pay awards
So how do we move forward?
From this
From this
To this
To this
Communication is key
Strategies for successful partnership Respect business priorities
Establish credibility
Develop relationships at all levels
Get a “seat at the table”
Be well prepared and learn the business
Be empathetic and reasonable
Be prepared to be flexible
Audit findings must be practical and risk based
Look for opportunities to provide advice
Be a trusted but critical partner and advisor
Solicit feedback
Communicate, communicate, communicate!
Remember:
All supporting the same business objectives
Security and Risk also have a role to play
Overall
Align with management in such a way that organizational goals are jointly achieved
“Leave every place a little better than you found it”
Word of caution: Don’t be a pushover
How much do management
know about Audit
Ten ways to get the most from Internal Audit
IT Audit Best Practices
2016
Final Reminder
If Internal Audit was an option, i.e. not mandated, would your business choose to have it?
Just a Reminder of the origins of
audit (over 800 years old!) Magna Carta signed at Runnemede, England 15 June 1215
Final, final thought……
Thank you
@allanboardman
www.linkedin.com/in/allanboardman