Improve Audit Communications and Reporting · Communications and Reporting KATIE SHELLABARGER / MANAGING DIRECTOR, TCB LLC ... PCI DSS. IRGC. ITIL. ... Consideration of Lines of Defense

© Institute of Internal Auditors 2019 1CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977

Use of Frameworks to Improve Audit Communications and ReportingKATIE SHELLABARGER / MANAGING DIRECTOR, TCB LLCSTEVE WEBER / IT AUDIT MANAGER, CDK GLOBAL, INC.APRIL 1, 2019

© Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 2

Agenda Our journey to a new evaluation framework How an evaluation framework can improve risk dialogue

with audit clients Understand how audit processes become highly

repeatable, efficient, and standardized Learn how data points collected can assist in evaluating

the overall control environment and identify trends / “hot spots”

Discuss how an evaluation framework can be used as a proactive First Line of Defense tool for management


Poll Question #1


DO YOUR AUDIT CLIENTS READ YOUR AUDIT REPORTS?

YesA

NoB

Unsure C

Poll Question #2


DO YOUR AUDIT CLIENTS FIND VALUE IN YOUR AUDIT REPORTS?

YesA

NoB

Unsure C

Poll Question #3


DO YOU COLLECT INFORMATION FROM AUDIT REPORTS TO CONCLUDE ON OVERALL CONTROL ENVIRONMENT?

YesA

NoB

Unsure C


“It is not about communicating what matters to the auditor. It is about communicating what

matters to each of our stakeholders – in operating management, senior and executive

management, on the board, and others as appropriate.” - Norman Marks

Why Audit Communications are Critical

IA Challenges and Opportunities

8

Value Proposition

Adding value to the business remains a key challenge for

internal audit.

Data AnalyticsBoard &

management are demanding deeper insights. IA needs to leverage more analytics & other

technologies.

PrioritiesFocus is on

strengthening risk awareness and

aligning with business strategy.

Business Changes

Challenges remain in aligning audit

processes to changes in the

business.

Not another framework sessionIs another framework really necessary, what’s wrong with the ones already in use?The challenge is that the audit client may not be versed on the various control frameworks. Additionally, the client may not adopt a specific framework and does not want to be held to those control standards.

© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 9

*Indicates multiple frameworks (e.g. NIST-Privacy and NIST – Cybersecurity, COSO, COSO-ERM, etc.)

NIST*

COBIT

COSO*

ISO

GTAG

GDPR

RMA

PCI DSS

IRGC

ITIL

The Reporting Challenge


• Long reports that don’t focus on what matters

• Reports don’t provide information needed to run the business

• Audits are intrusive

• Need a standardized view of results• Want common way to compare

business and technology risks• Need a 1st/2nd LOD perspective• Need consistent commentary on risks

and tolerance• Reports don’t get read• Too much time discussing ratings• Reports don’t capture risk

tolerance • Focus on findings - not

capabilities

• Unaware of various frameworks in use

• Unsure of what to expect or process used to evaluate their processes/controls

• Think operationally

What we did


Our Goals Common risk language & evaluation

method Visual-based delivery mechanism

Consideration of Lines of Defense Assessment of current state with

more focus on future state for goal setting

Intuitive tool that management could use…before or after an audit


How We Went About It Frameworko Started with “People – Process – Technology”o Split technology into data - technologyo Added strategy as supporting foundation Componentso Leveraged existing frameworks; customizing to

organizationo Managed the number of components selectedMaturity assessment & risk tolerance evaluationo Leveraged best practice guidelines (CMMI) to define

current state o Established discreet risk tolerance discussions


The Governance Framework

Started with the five basic tenets

Built out the components using existing frameworks

Determine which components are in scope during planning phase of the evaluation {part of the risk assessment process}

Framework is agnostic to business or technology focus as it is process focused {all work is a process}

Evaluates execution and oversight in each component© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 14

Leveraging Frameworks -

Data Policy Integrity Identity & Access

Management Model /

Architecture StandardsQuality Security

DAMA International produced the data management body of knowledge (DAMA-DMBOK) guide, which is a collection of processes and knowledge areas that are generally accepted as best practices within the Data Management discipline.


DAMA-DMBOK

Traditional Approach

The objective of this audit was to evaluate the design and operational effectiveness of the existing patch management process for Microsoft Windows server and laptop/desktop patches. Specifically, Internal Audit examined the following process domains:

o Selection – process to evaluate patches released by software vendors for applicability and criticality to the technology environment.

o Testing – evaluation of patches selected for implementation against existing enterprise hardware and software solutions.

o Deployment – timely installation of patches on targeted devices

o Compliance – policy and monitoring implemented to ensure patching throughout the organization

Patch Management -Process Audit


Leveraging the Framework

Patch Management -Process Audit

Audit covered all five tenets across 19 components

Assessed process execution and oversight


Governance Framework –

Maturity Assessment

Can be leveraged to describe an improvement path

Defines the state of a process using a common language and consists of a continuum of five process maturity levels, enabling process owners to rate the state, or maturity, of a given process.

The maturity levels evaluate the current state and help define the path to improvement.


What Internal Audit LearnedPositives

Work papers – easier and faster to repeat

Staff development – earlier and quicker

More cooperation between process and IT teams – more integrated audits

Acceptance from audit clients


Areas for Improvement More time on planning (LOD)

More data – not just assessing controls

Scoring - be ready to defend

Resistance from audit team

Make sure you're talking to the right people about the right things!

What We HeardAUDIT CLIENTS

No “Surprises!”

Audits are more than just process controls

Roadmap to improved maturity / control improvements / realistic goals

Documented risk tolerances and acceptances

Proactively deployment…..don’t have to wait for audit to do this

MANAGEMENT AND AUDIT COMMITTEE

Standard, common language

Consistent commentary on risks & tolerances across business and technology

Data, data, data



“There is a correlation between engagement and analytics. If a high level of information is shared with the Audit Committee regarding the use of analytics,

the committee’s overall engagement is higher”- Protiviti, 2018 Internal Audit Capabilities and

Needs Survey

EX: Reporting on Control EnvironmentTenet Execution OversightStrategy 2.52 2.11 People 2.50 2.55 Process 2.72 2.33 Data 2.48 2.17 Technology 2.33 2.10


Execution Oversight # -Evaluations

Process 2.72 2.33 Authority / Responsibility 2.87 2.17 15Communication 2.47 2.10 15Documentation 2.20 1.97 15Execution / Integration 2.82 2.26 17Regulatory / Compliance 2.86 2.43 7Service Performance 3.67 3.67 3Exception Management 2.14 1.71 7

Audit Issues Advisory Full Scope Total

Strategy 7 2 9

People 4 1 5

Process 11 6 17

Data 4 - 4

Technology 1 1 2

Grand Total 27 10 37

How Do You Start?


How get startedDefine your goalsGet audit client advocate! ◦ Validate the approach◦ Key to development◦ Advocate to their team and colleagues

Perform “Proof of Concept”◦ Validate / tweak based on pilot

Start small◦ Pick “easy” audit - concrete & practical◦ Continue to refine as needed


Questions?


Thank you for your time and attention!IIA CHAPTER CHICAGO | 59TH

ANNUAL SEMINAR


Documents

Improve Audit Communications and Reporting · Communications and Reporting KATIE SHELLABARGER / MANAGING DIRECTOR, TCB LLC ... PCI DSS. IRGC. ITIL. ... Consideration of Lines of Defense