Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
© Institute of Internal Auditors 2019 1CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977
Use of Frameworks to Improve Audit Communications and ReportingKATIE SHELLABARGER / MANAGING DIRECTOR, TCB LLCSTEVE WEBER / IT AUDIT MANAGER, CDK GLOBAL, INC.APRIL 1, 2019
© Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 2
Agenda Our journey to a new evaluation framework How an evaluation framework can improve risk dialogue
with audit clients Understand how audit processes become highly
repeatable, efficient, and standardized Learn how data points collected can assist in evaluating
the overall control environment and identify trends / “hot spots”
Discuss how an evaluation framework can be used as a proactive First Line of Defense tool for management
© Institute of Internal Auditors 2019 3CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977
Poll Question #1
© Institute of Internal Auditors 2019 4CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977
DO YOUR AUDIT CLIENTS READ YOUR AUDIT REPORTS?
YesA
NoB
Unsure C
Poll Question #2
© Institute of Internal Auditors 2019 5CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977
DO YOUR AUDIT CLIENTS FIND VALUE IN YOUR AUDIT REPORTS?
YesA
NoB
Unsure C
Poll Question #3
© Institute of Internal Auditors 2019 6CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977
DO YOU COLLECT INFORMATION FROM AUDIT REPORTS TO CONCLUDE ON OVERALL CONTROL ENVIRONMENT?
YesA
NoB
Unsure C
© Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 7
“It is not about communicating what matters to the auditor. It is about communicating what
matters to each of our stakeholders – in operating management, senior and executive
management, on the board, and others as appropriate.” - Norman Marks
Why Audit Communications are Critical
IA Challenges and Opportunities
8
Value Proposition
Adding value to the business remains a key challenge for
internal audit.
Data AnalyticsBoard &
management are demanding deeper insights. IA needs to leverage more analytics & other
technologies.
PrioritiesFocus is on
strengthening risk awareness and
aligning with business strategy.
Business Changes
Challenges remain in aligning audit
processes to changes in the
business.
Not another framework sessionIs another framework really necessary, what’s wrong with the ones already in use?The challenge is that the audit client may not be versed on the various control frameworks. Additionally, the client may not adopt a specific framework and does not want to be held to those control standards.
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 9
*Indicates multiple frameworks (e.g. NIST-Privacy and NIST – Cybersecurity, COSO, COSO-ERM, etc.)
NIST*
COBIT
COSO*
ISO
GTAG
GDPR
RMA
PCI DSS
IRGC
ITIL
The Reporting Challenge
© Institute of Internal Auditors 2019 10CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977
• Long reports that don’t focus on what matters
• Reports don’t provide information needed to run the business
• Audits are intrusive
• Need a standardized view of results• Want common way to compare
business and technology risks• Need a 1st/2nd LOD perspective• Need consistent commentary on risks
and tolerance• Reports don’t get read• Too much time discussing ratings• Reports don’t capture risk
tolerance • Focus on findings - not
capabilities
• Unaware of various frameworks in use
• Unsure of what to expect or process used to evaluate their processes/controls
• Think operationally
What we did
© Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 11
Our Goals Common risk language & evaluation
method Visual-based delivery mechanism
Consideration of Lines of Defense Assessment of current state with
more focus on future state for goal setting
Intuitive tool that management could use…before or after an audit
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 12
How We Went About It Frameworko Started with “People – Process – Technology”o Split technology into data - technologyo Added strategy as supporting foundation Componentso Leveraged existing frameworks; customizing to
organizationo Managed the number of components selectedMaturity assessment & risk tolerance evaluationo Leveraged best practice guidelines (CMMI) to define
current state o Established discreet risk tolerance discussions
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 13
The Governance Framework
Started with the five basic tenets
Built out the components using existing frameworks
Determine which components are in scope during planning phase of the evaluation {part of the risk assessment process}
Framework is agnostic to business or technology focus as it is process focused {all work is a process}
Evaluates execution and oversight in each component© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 14
Leveraging Frameworks -
Data Policy Integrity Identity & Access
Management Model /
Architecture StandardsQuality Security
DAMA International produced the data management body of knowledge (DAMA-DMBOK) guide, which is a collection of processes and knowledge areas that are generally accepted as best practices within the Data Management discipline.
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 15
DAMA-DMBOK
Traditional Approach
The objective of this audit was to evaluate the design and operational effectiveness of the existing patch management process for Microsoft Windows server and laptop/desktop patches. Specifically, Internal Audit examined the following process domains:
o Selection – process to evaluate patches released by software vendors for applicability and criticality to the technology environment.
o Testing – evaluation of patches selected for implementation against existing enterprise hardware and software solutions.
o Deployment – timely installation of patches on targeted devices
o Compliance – policy and monitoring implemented to ensure patching throughout the organization
Patch Management -Process Audit
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 16
Leveraging the Framework
Patch Management -Process Audit
Audit covered all five tenets across 19 components
Assessed process execution and oversight
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 17
Governance Framework –
Maturity Assessment
Can be leveraged to describe an improvement path
Defines the state of a process using a common language and consists of a continuum of five process maturity levels, enabling process owners to rate the state, or maturity, of a given process.
The maturity levels evaluate the current state and help define the path to improvement.
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 18
What Internal Audit LearnedPositives
Work papers – easier and faster to repeat
Staff development – earlier and quicker
More cooperation between process and IT teams – more integrated audits
Acceptance from audit clients
© Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 19
Areas for Improvement More time on planning (LOD)
More data – not just assessing controls
Scoring - be ready to defend
Resistance from audit team
Make sure you're talking to the right people about the right things!
What We HeardAUDIT CLIENTS
No “Surprises!”
Audits are more than just process controls
Roadmap to improved maturity / control improvements / realistic goals
Documented risk tolerances and acceptances
Proactively deployment…..don’t have to wait for audit to do this
MANAGEMENT AND AUDIT COMMITTEE
Standard, common language
Consistent commentary on risks & tolerances across business and technology
Data, data, data
© Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 20
© Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 21
“There is a correlation between engagement and analytics. If a high level of information is shared with the Audit Committee regarding the use of analytics,
the committee’s overall engagement is higher”- Protiviti, 2018 Internal Audit Capabilities and
Needs Survey
EX: Reporting on Control EnvironmentTenet Execution OversightStrategy 2.52 2.11 People 2.50 2.55 Process 2.72 2.33 Data 2.48 2.17 Technology 2.33 2.10
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 22
Execution Oversight # -Evaluations
Process 2.72 2.33 Authority / Responsibility 2.87 2.17 15Communication 2.47 2.10 15Documentation 2.20 1.97 15Execution / Integration 2.82 2.26 17Regulatory / Compliance 2.86 2.43 7Service Performance 3.67 3.67 3Exception Management 2.14 1.71 7
Audit Issues Advisory Full Scope Total
Strategy 7 2 9
People 4 1 5
Process 11 6 17
Data 4 - 4
Technology 1 1 2
Grand Total 27 10 37
How Do You Start?
© Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 23
How get startedDefine your goalsGet audit client advocate! ◦ Validate the approach◦ Key to development◦ Advocate to their team and colleagues
Perform “Proof of Concept”◦ Validate / tweak based on pilot
Start small◦ Pick “easy” audit - concrete & practical◦ Continue to refine as needed
© Institute of Internal Auditors 2019 IIA CHICAGO CHAPTER | JOIN US: @IIACHI 24
Questions?
© Institute of Internal Auditors 2019 25CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977
Thank you for your time and attention!IIA CHAPTER CHICAGO | 59TH
ANNUAL SEMINAR
© Institute of Internal Auditors 2019 26CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI | #IIACHI | WWW.FACEBOOK.COM/IIACHICAGO | HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977