SlideShare uma empresa Scribd logo

Integrating Controls for Efficiency

InnoTech
InnoTech

Integrating internal controls, risk management, compliance, information security, and financial reporting can save money and increase effectiveness. Coordinating these areas through enterprise risk management helps align risk assessment, control monitoring, and assurance activities between departments. Using a common framework prevents duplicative work and helps ensure all risks are addressed.

TecnologiaNegócios
1 de 22
Integrating Internal Controls Save money and increase the effectiveness of internal controls and risk management processes by coordinating compliance, enterprise risk management, privacy, information security, internal audit, and financial reporting control assessment. MOSS ADAMS LLP | 1
A TALE OF INEFFICIENCY. OR: WHY WE CARE o Performs and updates an IT security risk assessment • Information Security Manager, Brian o Designs and enforces IT policies and governance processes to ensure system security o Tests the effectiveness of the information security management program (ISMS) o Deals with constant requests from 4 different “audit”, “compliance”, or “security” stakeholders • Network Security Engineer, Bill o Ignores the various risk assessments, and just does what “he thinks is right”. o Performs an annual risk assessment of the audit universe • Internal Auditor, Mary o Examines internal controls for design and operating effectiveness. o Performs a risk assessment focused on financial reporting • Financial Auditor, John o Tests the operating effectiveness of key ICOFR controls o Keeps up to date with changing regulations, and communicates new requirements throughout • Compliance Manager, Sally the organization o Maintains a compliance management system to ensure that the organization is not breaking the law MOSS ADAMS LLP | 2
• Integrate your risk- WHAT CAN I DO? centric business processes Enterprise Risk Management Risk Assessment Risk Management o Get your colleagues onboard o Develop a Map Assurance o Create touchpoints Control Design and Self Operating Effectiveness between departments Assessment Testing o Crosswalk controls or testing at key touchpoints Program Management Compliance Information Security MOSS ADAMS LLP | 3
THE GENERIC RISK MANAGEMENT CYCLE Assess Risks Perform Implement Assessment Improvements of Controls’ Design and Operation Report Results MOSS ADAMS LLP | 4
• Internal Auditor, Mary: “You know Brian, I noticed that you are WHAT DOES IT LOOK LIKE? looking at new multi-factor authentication technologies for our internet banking customers. I was thinking about doing an audit to examine those controls.” • Information Security Manager, Brian: “Interesting! That would be great! I did a risk assessment last year, and identified that as a key fraud risk.” • Mary: “Let’s start by letting me evaluate your risk assessment as I plan my audit.” • Brian: “OK. Also, I map my risk assessment to ISO 27002 controls. Do you think you could report your audit against that standard to help me evaluate risks more effectively?” MOSS ADAMS LLP | 5
• The format is not critical. WHAT IT LOOKS LIKE (CONTINUED) • Just keep it simple, and manageable. MOSS ADAMS LLP | 6
HOW WILL THIS IMPACT MY • Watch out. The auditors will start to pay heed INFORMATION SECURITY PROGRAM? to your risk assessments, and will start to audit the areas you are concerned about. MOSS ADAMS LLP | 7
HOW WILL THIS IMPACT INTERNAL • Your internal audit program will be challenged with AUDITS? new sources of information for risk assessment and internal controls documentation. • There may be messy conflicts of interest to be worked out. o This is a good sign that Internal Audit is valuable within your organization. • You do not need to rely only on your own judgment or a simple survey as the only source to identify key risks in the organization. o Don’t let this be you:  How many Information Security pros does it take to change a light bulb?  How many did it take last year? MOSS ADAMS LLP | 8
SHARED RISK ASSESSMENTS? Entity Audit Process Audit Dollar Operational Compliance Nature/ Strategic Last time Total Volume Risk Risk Sensitivity Audited Objective Score Information Technology 4.10 4.00 4.00 5.00 4.00 4.00 3.00 – Enterprise Applications Accounting and Billing 4.30 4.00 5.00 4.00 5.00 3.00 4.00 Facilities 3.80 5.00 4.00 3.00 2.00 4.00 5.00 MOSS ADAMS LLP | 9
SHARE A CONTROL FRAMEWORK? COSO CobIT ISO 27000/27002 • NIST 800 • PMBOK • CMMI • CIS • ITIL • PCI • Industry-Specific Compliance • • Do we pick one, or do we integrate several? • MOSS ADAMS LLP | 10
THE COSO INTERNAL CONTROL MODEL MONITORING: throughout CONTROL ACTIVITIES: processes, procedures, safeguards, access security, authorization RISK ASSESSMENT: identify, prioritize, mitigate risks; ongoing; wide participation CONTROL ENVIRONMENT: tone at the top, infrastructure, compliance; culture: integrity and competence of people MOSS ADAMS LLP | 11 Adapted from Committee of Sponsoring Organizations of the Treadway Commission (COSO)
• Code of Practice for Information Security ISO 27002 Management • Divides IT Security into 11 Categories (Domains) • Defines key controls over specific sub-categories • Defines implementation guidance for each key control • 39 Control Objectives with 139 Controls • Control objectives are generic functional requirement specifications for an organization’s information and information system security management control architecture MOSS ADAMS LLP | 12
• NIST offers security guidance in many areas NIST • Special Publications 800 Series • Useful high level governance standards and practices • Practically every IT security subject is covered here • Written for the Federal Government but very useful for any organization MOSS ADAMS LLP | 13
NIST MOSS ADAMS LLP | 14
• Value of IT, Risk, and Control COBIT • Links IT service delivery to business requirements (already defined, right?) • A lifecycle; constantly adapting, improving, re- adapting • Four Responsibility Domains: o Plan and Organize (PO) o Acquire and Implement (AI) o Deliver and Support (DS) o Monitor and Evaluate (ME) • Make a grocery list of needs and then go shopping MOSS ADAMS LLP | 15
• CIS Benchmarks provide guidelines for operating CENTER FOR INTERNET SECURITY (CIS) systems and databases; • User originated, widely accepted, and reflect the consensus of expert users worldwide; • Compliance with these benchmarks will reduce findings and lead to more secure computing platforms • Some benchmarks include : Windows Server Solaris o Oracle o Exchange o o MOSS ADAMS LLP | 16
• When you don’t have a good understanding of ITIL - PROCESS MODELING “what right looks like” • Models most “Industry Standard” information and information system technology processes • When in doubt “check it out and test it out” Maps to COBIT Complimentary to NIST and ISO o Helps to provide a starting place o Caution - can be complicated o o MOSS ADAMS LLP | 17
CAPABILITY MATURITY UNRELIABLE INFORMAL STANDARDIZED MONITORED OPTIMIZED Level 1 – Unreliable Level 2 – Informal Level 3 – Level 4 – Monitored Level 5 – Optimized Standardized Unpredictable Disclosure activities Standardized controls An integrated internal environment where and controls are Control activities are with periodic testing control framework control activities are designed and designed and in place. for effective design with not designed in place. and operation with real-time monitoring Control activities have or in place. reporting to by management Controls are been documented and management. with continuous not adequately communicated to improvement documented; employees. Automation and tools (Enterprise-Wide Risk controls mostly may be used in a Deviations from control Management). dependent on limited way to support activities will likely not be people. control activities. detected. No formal training or communication of control activities. MOSS ADAMS LLP | 18
CONCLUDING ON THE FRAMEWORKS • Don’t spend all your time mapping • Use what works • Focus on the ‘key’ controls for your organization • Focus on the risk assessment process first MOSS ADAMS LLP | 19
WHAT SOFTWARE SHOULD I BUY? • Microsoft Excel • Enterprise-grade GRC software • Online internal control and risk management packages MOSS ADAMS LLP | 20
CONCLUDING • In organizations where multiple groups have responsibilities for enterprise risk, internal control, information security, compliance: o Team up o Create touch points  Risk Assessment  Testing  Controls documentation o Use the tools, don’t let them use you MOSS ADAMS LLP | 21
THANKS david.dyk@mossadams.com 503-512-0004 MOSS ADAMS LLP | 22

Recomendados

Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Rightpvanwoud
 
Institute of Internal Auditors Presentation 2014
Institute of Internal Auditors Presentation 2014Institute of Internal Auditors Presentation 2014
Institute of Internal Auditors Presentation 2014Brian T. O'Hara CISA, CISM, CRISC, CCSP, CISSP
 
Educause+V4
Educause+V4Educause+V4
Educause+V4ecarrow
 
Does audit make us more secure
Does audit make us more secureDoes audit make us more secure
Does audit make us more secureEnterpriseGRC Solutions, Inc.
 
Gpc case study_eng_0221
Gpc case study_eng_0221Gpc case study_eng_0221
Gpc case study_eng_0221SALIH AHMED ISLAM
 
Reducing Risk And Cost In With A Linux Infrastructure Maturity Assessment
Reducing Risk And Cost In With A Linux Infrastructure Maturity AssessmentReducing Risk And Cost In With A Linux Infrastructure Maturity Assessment
Reducing Risk And Cost In With A Linux Infrastructure Maturity AssessmentLinuxIT
 
Risk Management Methodology
Risk Management MethodologyRisk Management Methodology
Risk Management Methodologylaurahees
 
What's New with Ivanti’s Enterprise Licensing Agreement?
What's New with Ivanti’s Enterprise Licensing Agreement?What's New with Ivanti’s Enterprise Licensing Agreement?
What's New with Ivanti’s Enterprise Licensing Agreement?Ivanti
 

Recomendados

Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Rightpvanwoud
 
Institute of Internal Auditors Presentation 2014
Institute of Internal Auditors Presentation 2014Institute of Internal Auditors Presentation 2014
Institute of Internal Auditors Presentation 2014Brian T. O'Hara CISA, CISM, CRISC, CCSP, CISSP
 
Educause+V4
Educause+V4Educause+V4
Educause+V4ecarrow
 
Does audit make us more secure
Does audit make us more secureDoes audit make us more secure
Does audit make us more secureEnterpriseGRC Solutions, Inc.
 
Gpc case study_eng_0221
Gpc case study_eng_0221Gpc case study_eng_0221
Gpc case study_eng_0221SALIH AHMED ISLAM
 
Reducing Risk And Cost In With A Linux Infrastructure Maturity Assessment
Reducing Risk And Cost In With A Linux Infrastructure Maturity AssessmentReducing Risk And Cost In With A Linux Infrastructure Maturity Assessment
Reducing Risk And Cost In With A Linux Infrastructure Maturity AssessmentLinuxIT
 
Risk Management Methodology
Risk Management MethodologyRisk Management Methodology
Risk Management Methodologylaurahees
 
What's New with Ivanti’s Enterprise Licensing Agreement?
What's New with Ivanti’s Enterprise Licensing Agreement?What's New with Ivanti’s Enterprise Licensing Agreement?
What's New with Ivanti’s Enterprise Licensing Agreement?Ivanti
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
PECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB Webinar: Enterprise Risk Management with ISO 27001 perspectivePECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB Webinar: Enterprise Risk Management with ISO 27001 perspectivePECB
 
Enterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterpriseGRC Solutions, Inc.
 
Thread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalThread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalRobin Lutchansky
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)Tripwire
 
Rapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementRapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementEnergySec
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEDSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEAndris Soroka
 
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid ThemSasha Nunke
 
CMMC Breakdown
CMMC BreakdownCMMC Breakdown
CMMC BreakdownIgnyte Assurance Platform
 
FIS Profile Summary V7.3
FIS Profile Summary V7.3FIS Profile Summary V7.3
FIS Profile Summary V7.3Jorge Sebastiao
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2newbie2019
 
Cyber crime with privention
Cyber crime with privention Cyber crime with privention
Cyber crime with privention Manish Dixit Ceh
 
5 Essential Capabilities You Need to Tackle Cyber Threats
5 Essential Capabilities You Need to Tackle Cyber Threats5 Essential Capabilities You Need to Tackle Cyber Threats
5 Essential Capabilities You Need to Tackle Cyber ThreatsSolarWinds
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Post Wannacry Update
Post Wannacry UpdatePost Wannacry Update
Post Wannacry UpdateThomas Springer
 
Growing Pains for Human Resources
Growing Pains for Human ResourcesGrowing Pains for Human Resources
Growing Pains for Human ResourcesHuman Capital Media
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 StandardTharindunuwan9
 
Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataIBM Security
 
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesikEffective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesikEric Pesik
 
Internal Control
Internal ControlInternal Control
Internal ControlSalih Islam
 

Mais conteúdo relacionado

Mais procurados

SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
PECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB Webinar: Enterprise Risk Management with ISO 27001 perspectivePECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB Webinar: Enterprise Risk Management with ISO 27001 perspectivePECB
 
Thread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalThread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalRobin Lutchansky
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)Tripwire
 
Rapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementRapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementEnergySec
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEDSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEAndris Soroka
 
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid ThemSasha Nunke
 
FIS Profile Summary V7.3
FIS Profile Summary V7.3FIS Profile Summary V7.3
FIS Profile Summary V7.3Jorge Sebastiao
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2newbie2019
 
Cyber crime with privention
Cyber crime with privention Cyber crime with privention
Cyber crime with privention Manish Dixit Ceh
 
5 Essential Capabilities You Need to Tackle Cyber Threats
5 Essential Capabilities You Need to Tackle Cyber Threats5 Essential Capabilities You Need to Tackle Cyber Threats
5 Essential Capabilities You Need to Tackle Cyber ThreatsSolarWinds
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Growing Pains for Human Resources
Growing Pains for Human ResourcesGrowing Pains for Human Resources
Growing Pains for Human ResourcesHuman Capital Media
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 StandardTharindunuwan9
 
Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataIBM Security
 

Mais procurados (20)

SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
PECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB Webinar: Enterprise Risk Management with ISO 27001 perspectivePECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB Webinar: Enterprise Risk Management with ISO 27001 perspective
 
Enterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slides
 
Thread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalThread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final Final
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC Certification
 
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
 
Rapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementRapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk Management
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
 
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEDSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
 
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
 
CMMC Breakdown
CMMC BreakdownCMMC Breakdown
CMMC Breakdown
 
FIS Profile Summary V7.3
FIS Profile Summary V7.3FIS Profile Summary V7.3
FIS Profile Summary V7.3
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2
 
Cyber crime with privention
Cyber crime with privention Cyber crime with privention
Cyber crime with privention
 
5 Essential Capabilities You Need to Tackle Cyber Threats
5 Essential Capabilities You Need to Tackle Cyber Threats5 Essential Capabilities You Need to Tackle Cyber Threats
5 Essential Capabilities You Need to Tackle Cyber Threats
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Post Wannacry Update
Post Wannacry UpdatePost Wannacry Update
Post Wannacry Update
 
Growing Pains for Human Resources
Growing Pains for Human ResourcesGrowing Pains for Human Resources
Growing Pains for Human Resources
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 Standard
 
Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical Data
 

Destaque

Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesikEffective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesikEric Pesik
 
Internal Control
Internal ControlInternal Control
Internal ControlSalih Islam
 
Internal Quality Audit Training 26 27 March 2013
Internal Quality Audit Training 26 27 March 2013Internal Quality Audit Training 26 27 March 2013
Internal Quality Audit Training 26 27 March 2013Hasnain Gardezi
 
Hanrick Curran Audit Training - Internal Controls - March 2013
Hanrick Curran Audit Training - Internal Controls - March 2013Hanrick Curran Audit Training - Internal Controls - March 2013
Hanrick Curran Audit Training - Internal Controls - March 2013Matthew Green
 
Control Self-Assessment article
Control Self-Assessment articleControl Self-Assessment article
Control Self-Assessment articleDeepika Menon
 
Control Self Assessment
Control Self AssessmentControl Self Assessment
Control Self AssessmentManoj Agarwal
 
Internal control and Control Self Assessment
Internal control and Control Self AssessmentInternal control and Control Self Assessment
Internal control and Control Self AssessmentManoj Agarwal
 
internal control and control self assessment
internal control and control self assessmentinternal control and control self assessment
internal control and control self assessmentManoj Agarwal
 
Internal control and internal audit presentation for bank
Internal control and internal audit presentation for bankInternal control and internal audit presentation for bank
Internal control and internal audit presentation for bankMohammad Halim Stanikzai
 
Internal control system
Internal control systemInternal control system
Internal control systemMadiha Hassan
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO FrameworkJesús Gándara
 
Internal control system
Internal control systemInternal control system
Internal control systemHina Varshney
 
Internal controls in auditing
Internal controls in auditingInternal controls in auditing
Internal controls in auditingHardik Shah
 
Radio Communication
Radio CommunicationRadio Communication
Radio CommunicationJohn Grace
 

Destaque (16)

Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesikEffective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
 
Internal Control
Internal ControlInternal Control
Internal Control
 
Internal Quality Audit Training 26 27 March 2013
Internal Quality Audit Training 26 27 March 2013Internal Quality Audit Training 26 27 March 2013
Internal Quality Audit Training 26 27 March 2013
 
Hanrick Curran Audit Training - Internal Controls - March 2013
Hanrick Curran Audit Training - Internal Controls - March 2013Hanrick Curran Audit Training - Internal Controls - March 2013
Hanrick Curran Audit Training - Internal Controls - March 2013
 
Control Self-Assessment article
Control Self-Assessment articleControl Self-Assessment article
Control Self-Assessment article
 
Control self assessment (csa)
Control self assessment (csa)Control self assessment (csa)
Control self assessment (csa)
 
Control Self Assessment
Control Self AssessmentControl Self Assessment
Control Self Assessment
 
Internal control and Control Self Assessment
Internal control and Control Self AssessmentInternal control and Control Self Assessment
Internal control and Control Self Assessment
 
internal control and control self assessment
internal control and control self assessmentinternal control and control self assessment
internal control and control self assessment
 
Internal control and internal audit presentation for bank
Internal control and internal audit presentation for bankInternal control and internal audit presentation for bank
Internal control and internal audit presentation for bank
 
8. internal control new
8. internal control new8. internal control new
8. internal control new
 
Internal control system
Internal control systemInternal control system
Internal control system
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO Framework
 
Internal control system
Internal control systemInternal control system
Internal control system
 
Internal controls in auditing
Internal controls in auditingInternal controls in auditing
Internal controls in auditing
 
Radio Communication
Radio CommunicationRadio Communication
Radio Communication
 

Semelhante a Integrating Controls for Efficiency

Rob kloots presentation_issa_spain
Rob kloots presentation_issa_spainRob kloots presentation_issa_spain
Rob kloots presentation_issa_spainRobert Kloots
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Servicestschraider
 
Metrics, Risk Management & DLP
Metrics, Risk Management & DLPMetrics, Risk Management & DLP
Metrics, Risk Management & DLPRobert Kloots
 
Gain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls MonitoringGain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls MonitoringEmma Kelly
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdfdotco
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business ValueHyTrust
 
Moss Adams SSAE 16 SOC Audits
Moss Adams SSAE 16 SOC AuditsMoss Adams SSAE 16 SOC Audits
Moss Adams SSAE 16 SOC AuditsAISDC
 
Strategic governance performance_management_systems
Strategic governance performance_management_systemsStrategic governance performance_management_systems
Strategic governance performance_management_systemsRamsés Gallego
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchMcKonly & Asbury, LLP
 
Security Transformation Services
Security Transformation ServicesSecurity Transformation Services
Security Transformation Servicesxband
 
Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics ProgramCydney Davis
 
Enterprise Risk Management Solutions
Enterprise Risk Management SolutionsEnterprise Risk Management Solutions
Enterprise Risk Management SolutionsLexComply
 

Semelhante a Integrating Controls for Efficiency (20)

Rob kloots presentation_issa_spain
Rob kloots presentation_issa_spainRob kloots presentation_issa_spain
Rob kloots presentation_issa_spain
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Services
 
Metrics, Risk Management & DLP
Metrics, Risk Management & DLPMetrics, Risk Management & DLP
Metrics, Risk Management & DLP
 
Gain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls MonitoringGain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls Monitoring
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdf
 
It risk advisory brochure 2013
It risk advisory brochure 2013It risk advisory brochure 2013
It risk advisory brochure 2013
 
It risk advisory brochure 2013
It risk advisory brochure 2013It risk advisory brochure 2013
It risk advisory brochure 2013
 
It risk advisory brochure 2013
It risk advisory brochure 2013It risk advisory brochure 2013
It risk advisory brochure 2013
 
It Risk Advisory Brochure
It Risk Advisory BrochureIt Risk Advisory Brochure
It Risk Advisory Brochure
 
It Risk Advisory Brochure
It Risk Advisory BrochureIt Risk Advisory Brochure
It Risk Advisory Brochure
 
It Risk Advisory Brochure
It Risk Advisory BrochureIt Risk Advisory Brochure
It Risk Advisory Brochure
 
Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at Scale
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business Value
 
Bpo risk management
Bpo risk managementBpo risk management
Bpo risk management
 
Moss Adams SSAE 16 SOC Audits
Moss Adams SSAE 16 SOC AuditsMoss Adams SSAE 16 SOC Audits
Moss Adams SSAE 16 SOC Audits
 
Strategic governance performance_management_systems
Strategic governance performance_management_systemsStrategic governance performance_management_systems
Strategic governance performance_management_systems
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
Security Transformation Services
Security Transformation ServicesSecurity Transformation Services
Security Transformation Services
 
Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics Program
 
Enterprise Risk Management Solutions
Enterprise Risk Management SolutionsEnterprise Risk Management Solutions
Enterprise Risk Management Solutions
 

Mais de InnoTech

"So you want to raise funding and build a team?"
"So you want to raise funding and build a team?""So you want to raise funding and build a team?"
"So you want to raise funding and build a team?"InnoTech
 
Artificial Intelligence is Maturing
Artificial Intelligence is MaturingArtificial Intelligence is Maturing
Artificial Intelligence is MaturingInnoTech
 
What is AI without Data?
What is AI without Data?What is AI without Data?
What is AI without Data?InnoTech
 
Courageous Leadership - When it Matters Most
Courageous Leadership - When it Matters MostCourageous Leadership - When it Matters Most
Courageous Leadership - When it Matters MostInnoTech
 
The Gathering Storm
The Gathering StormThe Gathering Storm
The Gathering StormInnoTech
 
Sql Server tips from the field
Sql Server tips from the fieldSql Server tips from the field
Sql Server tips from the fieldInnoTech
 
Quantum Computing and its security implications
Quantum Computing and its security implicationsQuantum Computing and its security implications
Quantum Computing and its security implicationsInnoTech
 
Converged Infrastructure
Converged InfrastructureConverged Infrastructure
Converged InfrastructureInnoTech
 
Making the most out of collaboration with Office 365
Making the most out of collaboration with Office 365Making the most out of collaboration with Office 365
Making the most out of collaboration with Office 365InnoTech
 
Blockchain use cases and case studies
Blockchain use cases and case studiesBlockchain use cases and case studies
Blockchain use cases and case studiesInnoTech
 
Blockchain: Exploring the Fundamentals and Promising Potential
Blockchain: Exploring the Fundamentals and Promising Potential Blockchain: Exploring the Fundamentals and Promising Potential
Blockchain: Exploring the Fundamentals and Promising Potential InnoTech
 
Business leaders are engaging labor differently - Is your IT ready?
Business leaders are engaging labor differently - Is your IT ready?Business leaders are engaging labor differently - Is your IT ready?
Business leaders are engaging labor differently - Is your IT ready?InnoTech
 
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...InnoTech
 
Using Business Intelligence to Bring Your Data to Life
Using Business Intelligence to Bring Your Data to LifeUsing Business Intelligence to Bring Your Data to Life
Using Business Intelligence to Bring Your Data to LifeInnoTech
 
User requirements is a fallacy
User requirements is a fallacyUser requirements is a fallacy
User requirements is a fallacyInnoTech
 
What I Wish I Knew Before I Signed that Contract - San Antonio
What I Wish I Knew Before I Signed that Contract - San Antonio What I Wish I Knew Before I Signed that Contract - San Antonio
What I Wish I Knew Before I Signed that Contract - San Antonio InnoTech
 
Disaster Recovery Plan - Quorum
Disaster Recovery Plan - QuorumDisaster Recovery Plan - Quorum
Disaster Recovery Plan - QuorumInnoTech
 
Share point saturday access services 2015 final 2
Share point saturday access services 2015 final 2Share point saturday access services 2015 final 2
Share point saturday access services 2015 final 2InnoTech
 
Sp tech festdallas - office 365 groups - planner session
Sp tech festdallas - office 365 groups - planner sessionSp tech festdallas - office 365 groups - planner session
Sp tech festdallas - office 365 groups - planner sessionInnoTech
 
Power apps presentation
Power apps presentationPower apps presentation
Power apps presentationInnoTech
 

Mais de InnoTech (20)

"So you want to raise funding and build a team?"
"So you want to raise funding and build a team?""So you want to raise funding and build a team?"
"So you want to raise funding and build a team?"
 
Artificial Intelligence is Maturing
Artificial Intelligence is MaturingArtificial Intelligence is Maturing
Artificial Intelligence is Maturing
 
What is AI without Data?
What is AI without Data?What is AI without Data?
What is AI without Data?
 
Courageous Leadership - When it Matters Most
Courageous Leadership - When it Matters MostCourageous Leadership - When it Matters Most
Courageous Leadership - When it Matters Most
 
The Gathering Storm
The Gathering StormThe Gathering Storm
The Gathering Storm
 
Sql Server tips from the field
Sql Server tips from the fieldSql Server tips from the field
Sql Server tips from the field
 
Quantum Computing and its security implications
Quantum Computing and its security implicationsQuantum Computing and its security implications
Quantum Computing and its security implications
 
Converged Infrastructure
Converged InfrastructureConverged Infrastructure
Converged Infrastructure
 
Making the most out of collaboration with Office 365
Making the most out of collaboration with Office 365Making the most out of collaboration with Office 365
Making the most out of collaboration with Office 365
 
Blockchain use cases and case studies
Blockchain use cases and case studiesBlockchain use cases and case studies
Blockchain use cases and case studies
 
Blockchain: Exploring the Fundamentals and Promising Potential
Blockchain: Exploring the Fundamentals and Promising Potential Blockchain: Exploring the Fundamentals and Promising Potential
Blockchain: Exploring the Fundamentals and Promising Potential
 
Business leaders are engaging labor differently - Is your IT ready?
Business leaders are engaging labor differently - Is your IT ready?Business leaders are engaging labor differently - Is your IT ready?
Business leaders are engaging labor differently - Is your IT ready?
 
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
 
Using Business Intelligence to Bring Your Data to Life
Using Business Intelligence to Bring Your Data to LifeUsing Business Intelligence to Bring Your Data to Life
Using Business Intelligence to Bring Your Data to Life
 
User requirements is a fallacy
User requirements is a fallacyUser requirements is a fallacy
User requirements is a fallacy
 
What I Wish I Knew Before I Signed that Contract - San Antonio
What I Wish I Knew Before I Signed that Contract - San Antonio What I Wish I Knew Before I Signed that Contract - San Antonio
What I Wish I Knew Before I Signed that Contract - San Antonio
 
Disaster Recovery Plan - Quorum
Disaster Recovery Plan - QuorumDisaster Recovery Plan - Quorum
Disaster Recovery Plan - Quorum
 
Share point saturday access services 2015 final 2
Share point saturday access services 2015 final 2Share point saturday access services 2015 final 2
Share point saturday access services 2015 final 2
 
Sp tech festdallas - office 365 groups - planner session
Sp tech festdallas - office 365 groups - planner sessionSp tech festdallas - office 365 groups - planner session
Sp tech festdallas - office 365 groups - planner session
 
Power apps presentation
Power apps presentationPower apps presentation
Power apps presentation
 

Último

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 

Último (20)

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 

Integrating Controls for Efficiency

  • 1. Integrating Internal Controls Save money and increase the effectiveness of internal controls and risk management processes by coordinating compliance, enterprise risk management, privacy, information security, internal audit, and financial reporting control assessment. MOSS ADAMS LLP | 1
  • 2. A TALE OF INEFFICIENCY. OR: WHY WE CARE o Performs and updates an IT security risk assessment • Information Security Manager, Brian o Designs and enforces IT policies and governance processes to ensure system security o Tests the effectiveness of the information security management program (ISMS) o Deals with constant requests from 4 different “audit”, “compliance”, or “security” stakeholders • Network Security Engineer, Bill o Ignores the various risk assessments, and just does what “he thinks is right”. o Performs an annual risk assessment of the audit universe • Internal Auditor, Mary o Examines internal controls for design and operating effectiveness. o Performs a risk assessment focused on financial reporting • Financial Auditor, John o Tests the operating effectiveness of key ICOFR controls o Keeps up to date with changing regulations, and communicates new requirements throughout • Compliance Manager, Sally the organization o Maintains a compliance management system to ensure that the organization is not breaking the law MOSS ADAMS LLP | 2
  • 3. • Integrate your risk- WHAT CAN I DO? centric business processes Enterprise Risk Management Risk Assessment Risk Management o Get your colleagues onboard o Develop a Map Assurance o Create touchpoints Control Design and Self Operating Effectiveness between departments Assessment Testing o Crosswalk controls or testing at key touchpoints Program Management Compliance Information Security MOSS ADAMS LLP | 3
  • 4. THE GENERIC RISK MANAGEMENT CYCLE Assess Risks Perform Implement Assessment Improvements of Controls’ Design and Operation Report Results MOSS ADAMS LLP | 4
  • 5. • Internal Auditor, Mary: “You know Brian, I noticed that you are WHAT DOES IT LOOK LIKE? looking at new multi-factor authentication technologies for our internet banking customers. I was thinking about doing an audit to examine those controls.” • Information Security Manager, Brian: “Interesting! That would be great! I did a risk assessment last year, and identified that as a key fraud risk.” • Mary: “Let’s start by letting me evaluate your risk assessment as I plan my audit.” • Brian: “OK. Also, I map my risk assessment to ISO 27002 controls. Do you think you could report your audit against that standard to help me evaluate risks more effectively?” MOSS ADAMS LLP | 5
  • 6. • The format is not critical. WHAT IT LOOKS LIKE (CONTINUED) • Just keep it simple, and manageable. MOSS ADAMS LLP | 6
  • 7. HOW WILL THIS IMPACT MY • Watch out. The auditors will start to pay heed INFORMATION SECURITY PROGRAM? to your risk assessments, and will start to audit the areas you are concerned about. MOSS ADAMS LLP | 7
  • 8. HOW WILL THIS IMPACT INTERNAL • Your internal audit program will be challenged with AUDITS? new sources of information for risk assessment and internal controls documentation. • There may be messy conflicts of interest to be worked out. o This is a good sign that Internal Audit is valuable within your organization. • You do not need to rely only on your own judgment or a simple survey as the only source to identify key risks in the organization. o Don’t let this be you:  How many Information Security pros does it take to change a light bulb?  How many did it take last year? MOSS ADAMS LLP | 8
  • 9. SHARED RISK ASSESSMENTS? Entity Audit Process Audit Dollar Operational Compliance Nature/ Strategic Last time Total Volume Risk Risk Sensitivity Audited Objective Score Information Technology 4.10 4.00 4.00 5.00 4.00 4.00 3.00 – Enterprise Applications Accounting and Billing 4.30 4.00 5.00 4.00 5.00 3.00 4.00 Facilities 3.80 5.00 4.00 3.00 2.00 4.00 5.00 MOSS ADAMS LLP | 9
  • 10. SHARE A CONTROL FRAMEWORK? COSO CobIT ISO 27000/27002 • NIST 800 • PMBOK • CMMI • CIS • ITIL • PCI • Industry-Specific Compliance • • Do we pick one, or do we integrate several? • MOSS ADAMS LLP | 10
  • 11. THE COSO INTERNAL CONTROL MODEL MONITORING: throughout CONTROL ACTIVITIES: processes, procedures, safeguards, access security, authorization RISK ASSESSMENT: identify, prioritize, mitigate risks; ongoing; wide participation CONTROL ENVIRONMENT: tone at the top, infrastructure, compliance; culture: integrity and competence of people MOSS ADAMS LLP | 11 Adapted from Committee of Sponsoring Organizations of the Treadway Commission (COSO)
  • 12. • Code of Practice for Information Security ISO 27002 Management • Divides IT Security into 11 Categories (Domains) • Defines key controls over specific sub-categories • Defines implementation guidance for each key control • 39 Control Objectives with 139 Controls • Control objectives are generic functional requirement specifications for an organization’s information and information system security management control architecture MOSS ADAMS LLP | 12
  • 13. • NIST offers security guidance in many areas NIST • Special Publications 800 Series • Useful high level governance standards and practices • Practically every IT security subject is covered here • Written for the Federal Government but very useful for any organization MOSS ADAMS LLP | 13
  • 14. NIST MOSS ADAMS LLP | 14
  • 15. • Value of IT, Risk, and Control COBIT • Links IT service delivery to business requirements (already defined, right?) • A lifecycle; constantly adapting, improving, re- adapting • Four Responsibility Domains: o Plan and Organize (PO) o Acquire and Implement (AI) o Deliver and Support (DS) o Monitor and Evaluate (ME) • Make a grocery list of needs and then go shopping MOSS ADAMS LLP | 15
  • 16. • CIS Benchmarks provide guidelines for operating CENTER FOR INTERNET SECURITY (CIS) systems and databases; • User originated, widely accepted, and reflect the consensus of expert users worldwide; • Compliance with these benchmarks will reduce findings and lead to more secure computing platforms • Some benchmarks include : Windows Server Solaris o Oracle o Exchange o o MOSS ADAMS LLP | 16
  • 17. • When you don’t have a good understanding of ITIL - PROCESS MODELING “what right looks like” • Models most “Industry Standard” information and information system technology processes • When in doubt “check it out and test it out” Maps to COBIT Complimentary to NIST and ISO o Helps to provide a starting place o Caution - can be complicated o o MOSS ADAMS LLP | 17
  • 18. CAPABILITY MATURITY UNRELIABLE INFORMAL STANDARDIZED MONITORED OPTIMIZED Level 1 – Unreliable Level 2 – Informal Level 3 – Level 4 – Monitored Level 5 – Optimized Standardized Unpredictable Disclosure activities Standardized controls An integrated internal environment where and controls are Control activities are with periodic testing control framework control activities are designed and designed and in place. for effective design with not designed in place. and operation with real-time monitoring Control activities have or in place. reporting to by management Controls are been documented and management. with continuous not adequately communicated to improvement documented; employees. Automation and tools (Enterprise-Wide Risk controls mostly may be used in a Deviations from control Management). dependent on limited way to support activities will likely not be people. control activities. detected. No formal training or communication of control activities. MOSS ADAMS LLP | 18
  • 19. CONCLUDING ON THE FRAMEWORKS • Don’t spend all your time mapping • Use what works • Focus on the ‘key’ controls for your organization • Focus on the risk assessment process first MOSS ADAMS LLP | 19
  • 20. WHAT SOFTWARE SHOULD I BUY? • Microsoft Excel • Enterprise-grade GRC software • Online internal control and risk management packages MOSS ADAMS LLP | 20
  • 21. CONCLUDING • In organizations where multiple groups have responsibilities for enterprise risk, internal control, information security, compliance: o Team up o Create touch points  Risk Assessment  Testing  Controls documentation o Use the tools, don’t let them use you MOSS ADAMS LLP | 21